Lighthouse 5.2.0 User Guide

Revision 1.0.0 2018-04-05

Lighthouse 5.2 User Guide 2

TABLE OF CONTENTS

1. Lighthouse Terminology 6

2. Lighthouse overview 7 2.1 Lighthouse VM 5.2.0 host requirements 7 2.2 Lighthouse architecture 7 2.2.1 Lighthouse to Node interactions 8 2.2.2 User to Lighthouse interactions 8 2.2.3 Node organization and filtering 9

3. Lighthouse VM installation 10 3.1 Lighthouse VM components 10 3.2 VMWare vSphere 6.0 via the VMWare vSphere 6.0 client on Windows 10 3.2.1 Launch the vSphere Client and connect to a vSphere instance. 10 3.2.2 Import the Lighthouse 5.2.0 VM Open Volume Format (.ovf) image 11 3.2.3 Launch the Opengear Lighthouse 5.2.0 virtual machine 13 3.2.4 Access the console of a running but headless Opengear Lighthouse instance 14 3.3 VMware Workstation Player on Windows as host 14 3.4 VMware Workstation Pro on Windows as host 15 3.5 VMware Workstation Player or Pro on Fedora Workstation as host 15 3.6 Local deployment on Hyper-V running on Windows 10/Windows Server 2016 16 3.7 Remote Hyper-V deployment with pre-authenticated user 16 3.8 Remote Hyper-V deployment with different user 16 3.9 VirtualBox on Windows as host 17 3.10 VirtualBox on macOS as host 18 3.11 VirtualBox on Ubuntu as host 19 3.12 VirtualBox on Fedora Workstation as host 20 3.13 Virtual Machine Manager (KVM) on Ubuntu as host 21 3.14 Boxes on Fedora Workstation as host 22 3.15 Boxes on CentOS as host 22

4. First boot of the Lighthouse VM 24

5. Initial system configuration 25 5.1 Loading Lighthouse 25 5.2 Login to Lighthouse 25 5.3 Setting the Lighthouse hostname 26 5.4 Adding external IP addresses manually (optional) 26 5.5 Setting the Lighthouse internal clock 28 5.6 Examine or modify the Lighthouse SSL certificate 29 5.7 Examine or modify Lighthouse Session Settings 30 5.8 Examine or change the MTU of the Lighthouse VPN tunnel 31 Lighthouse 5.2 User Guide 3

5.9 Enable or modify SNMP Service 31 5.10 Network connections 32

6. Shut down or restart Lighthouse 34 6.1 Shut down a running Lighthouse instance 34 6.2 Restarting a running Lighthouse instance 34

7. Using Lighthouse 35 7.1 Licensing third-party nodes before enrollment 35 7.1.1 Adding a license using the Lighthouse UI 35 7.1.2 Showing installed licenses in the Lighthouse UI 36 7.1.3 Showing installed licenses via the Local Terminal 37 7.2 Enrolling nodes 38 7.2.1 Enrollment overview 38 7.2.2 Enrollment bundles 38 7.2.3 Creating an enrollment bundle 39 7.2.4 Enrollment via Lighthouse Web UI 41 7.2.5 Enrollment via Node Web UI 44 7.2.6 Mass Enrollment using ZTP 44 7.2.7 Enrollment via USB drive 45 7.3 The Enrolled Nodes page 46 7.4 Filtering pages displaying nodes 47 7.4.1 Filtering using the Free Text Search field 47 7.4.2 Filtering using the Smart Group Filtering drop-down menu 47 7.4.3 Filtering using the Managed Device Filtering drop-down menu 48 7.5 Creating Smart Groups 49 7.6 Editing an existing Smart Group 49 7.7 Creating Managed Device Filters 50 7.8 Editing an existing Managed Device Filter 51 7.9 Connecting to a Node’s web-management interface 53 7.10 Connecting to a node’s serial ports via Console Gateway 53 7.10.1 Access via HTML5 Web Terminal 54 7.10.2 Access via SSH 54 7.10.3 Example Console Gateway session 56

8. Lighthouse user management 57 8.1 Password fields in Lighthouse 57 8.2 Creating new groups 57 8.3 Modifying existing groups 58 8.4 A note on default netgrp Lighthouse group 59 8.5 Creating new users 59 8.6 Modifying existing users 61 8.7 Deleting users 61 8.8 Disabling a Lighthouse root user 62 8.9 Configuring AAA 62 8.9.1 LDAP Configuration 62 Lighthouse 5.2 User Guide 4

8.9.2 RADIUS configuration 63 8.9.3 TACACS+ configuration 64

9. Lighthouse central configuration 66 9.1 Creating new group templates 66 9.2 Modifying existing group templates 67 9.3 Deleting group templates 67 9.4 Creating new authentication templates 68 9.5 Modifying existing authentication templates 69 9.6 Deleting authentication templates 70 9.7 Creating new script templates 70 9.8 Modifying existing script templates 71 9.9 Deleting script templates 72 9.10 Apply Templates 73

10. Command line tools 76

10.1 node-command 76 10.2 node-info 77 10.3 node-upgrade 77 10.4 ogadduser 79 10.5 ogconfig-cli 79 10.5.1 Commands to try from within the ogconfig-cli tool 79 10.5.2 Config searches uses ogconfig-cli 79 10.5.3 Changing a configuration from within ogconfig-cli 80 10.5.4 Configuration validation from within ogconfig-cli 80 10.5.5 Support for mounting the hard disks with ogconfig-cli 80 10.6 oglicdump 81 10.7 cron 81 10.8 sysflash 82 10.9 Selecting nodes using shell-based tools 83 10.9.1 Select all nodes 83 10.9.2 Running commands on selected nodes 83

11. System upgrades 84 11.1 Upgrading the system from within Lighthouse 84 11.2 Upgrading the Lighthouse system via the Local Terminal 85

12. Troubleshooting 86 12.1 Finding the current Lighthouse instance version 86 12.1.1 Using the web UI 86 12.1.2 Via the local Lighthouse shell 86 12.1.3 Other information sources related to a Lighthouse instance’s version 86 12.2 Technical support reports 87 12.2.1 Generate a support report via the Lighthouse interface 87 Lighthouse 5.2 User Guide 5

12.2.2 Generate a support report via the local terminal 88 12.3 Returning a Lighthouse instance to factory settings 88

13. Technical support 90

14. End-user license agreements 91 14.1 Opengear end-user license agreement 91 14.2 GNU general public license (GPL), version 2 93

15. Standard Warranty 98

Lighthouse 5.2 User Guide 6

1. Lighthouse Terminology

Terms used to define Lighthouse elements and concepts are listed below. Term Definition Enrollment Connecting a node to Lighthouse Enrollment Used to assign a number of tags to a set of nodes when they are enrolled. During enrollment, the Bundle bundle is specified using its name, and a bundle-specific enrollment token. Enrolled Node Node that has been connected to Lighthouse and is ready for use. Enrollment A password that authorizes the node with Lighthouse. Used when performing Node-based, or ZTP Token enrollment. Lighthouse Refers to the 5.1 and later releases of Lighthouse. Rewritten from the ground up, it provides a solid Ironman basis for accessing, managing and monitoring Opengear console servers. Lighthouse VPN The OpenVPN based connections that the Lighthouse instance has with the nodes it is managing Managed Device A device that is managed via a node through a serial, USB, or network connection. Node A device that can be enrolled with Lighthouse, allowing it to be accessed, managed, and monitored. Currently, Opengear console servers are supported on a standard license, with support for other vendors Console Servers available as an add-on. Pending Node A node that has been connected to Lighthouse and has been configured with a VPN Tunnel, but which has not yet been approved for access, monitoring, or management. The approval operation can be automated by configuring Lighthouse to auto- approve nodes. Role A set of access rights for a particular group. Three roles are defined within Lighthouse Ironman: Lighthouse Administrator, Node Administrator, and Node User. Smart Group Dynamic filter used to search for particular nodes, or for defining the access rights of a group of users. Smart Groups use node properties, as well as tags defined by users. Tag User-defined attribute and value that is assigned to one or more nodes. Tags are used when creating Smart Groups for filtering views or access to nodes.

Lighthouse 5.2 User Guide 7

2. Lighthouse overview

2.1 Lighthouse VM 5.2.0 host requirements • Lighthouse deploys as an application running in a Linux-based virtual machine(VM). The Lighthouse binary is available in both open (for VM managers such as Boxes, KVM, and VirtualBox), Vmware and Hyper-V specific Virtual Machine formats. • To run a Lighthouse VM, your host computer must be able to run a VM manager and at least one full 64-bit Linux-based virtual machine. • To host Lighthouse, the VM needs to be configured to support: • 10GB SCSI disk. • 1 x network interface card, preferably paravirtualised (virtio, vmxnet3), Realtek rtl8139, or Intel e1000 are also supported, bridged. • VGA console for initial setup. To dimension CPU and RAM resources, follow these guidelines: CPU and RAM utilization increase with the number of enrolled nodes. For small deployments (less than 100 nodes), allocate: • 2 x 64-bit CPU cores. • 4GB RAM. For medium deployments (between 100 and 600 nodes), allocate: • 4 x 64-bit CPU cores. • 8GB RAM. For large deployments (between 600 and 1200 nodes), allocate: • 4 x 64-bit CPU cores. • 16GB RAM. For very large deployments (more than 1200 nodes), allocate: • 8 x 64-bit CPU cores. • 32GB RAM. For large and very large deployments, please contact us for guidance on your deployment options, including low and zero-touch enrollment. The performance and limitations are dependent on network deployment.

2.2 Lighthouse architecture Lighthouse provides a platform for centrally accessing, managing, and monitoring Opengear console servers. Console servers connect to a central Lighthouse instance over an OpenVPN tunnel, and are accessed, managed, and monitored via services transported over the VPN tunnel. In Lighthouse terminology, the console server is referred to as the node.

Lighthouse 5.2 User Guide 8

2.2.1 Lighthouse to Node interactions For management and monitoring operations, Lighthouse queries and pushes data to and from a REST API on the node. When a node is initially enrolled in Lighthouse, Lighthouse generates an X.509 certificate. This certificate authenticates the OpenVPN tunnel and provides the node access to the Lighthouse REST API. The node also imports a Certificate Authority from Lighthouse and uses that to allow Lighthouse access to the node’s REST API. Lighthouse also provides a public SSH key to the node, which allows Lighthouse to access the node’s serial ports via SSH. For serial access, a node’s serial port subsystem is connected to via SSH. Users can also access the node's Web UI, which is reverse-proxied through the VPN tunnel.

2.2.2 User to Lighthouse interactions Users interact with Lighthouse via an Ember.js JavaScript application, which communicates with Lighthouse via a REST API. This REST API can integrate Lighthouse into other systems. Documentation for this API is available to allow for direct customer use. Lighthouse 5.2.0 has three REST API versions, v1, v1.1 and v2. Some of the endpoints in v1 and v1.1 have been deprecated, meaning the functionality and expected request body may be different. In general, it is advised to prefer the latest version of the REST API (v2) as this ensures the latest functionality is available.

Lighthouse 5.2 User Guide 9

2.2.3 Node organization and filtering To help search, organize, and filter access to nodes, Lighthouse uses Smart Groups which allow node properties and user-supplied tags, consisting of a name and value, to be compiled into a search expression. These search expressions can be saved and used to filter the various lists of nodes in the Web UI, for example when selecting a serial port to connect to or to connect to the node’s Web UI. They can also be used for selecting the nodes that a particular group of users will be able to access. To help locate managed devices, Lighthouse includes Managed Device Filtering which allows users to search for port labels on a node. This search can be saved and applied on the Manage > Managed Devices > Console Gateway page.

Lighthouse 5.2 User Guide 10

3. Lighthouse VM installation

3.1 Lighthouse VM components Lighthouse VM 5.2.0 is available in several formats: • An Open Volume Format file — lighthouse-5.2.0-ovf.zip — inside a PKZip archive. This is for use with virtual machine managers such as KVM and Virtual Box. • A VMware configuration file — lighthouse-5.2.0-vmx.zip —inside a PKZip archive. This is for use with virtual machine managers from VMware. • A raw (.hdd) file, lighthouse-5.2.0-raw.hdd.xz. This file has been compressed with xz and is for use with hosting services such as ElasticHosts. • An Open Virtual Appliance file — lighthouse-5.2.0.ova. This is for use with virtual machine managers such as VM and Virtual Box as well as for use with virtual machine managers from Vmware. • A Hyper-V configuration file with Powershell script — lighthouse-5.2.0-hyperv.zip —inside a PKZip archive. This is for use in Microsoft Hyper-V deployment. • An upgrade file, lighthouse-5.2.0.lh_upg.

3.2 VMWare vSphere 6.0 via the VMWare vSphere 6.0 client on Windows

This procedure assumes VMWare vSphere 6.0 is installed and running on available hardware. You must have access to a Windows computer on which the VMWare vSphere 6.0 client is installed and that this installed client application can connect to and manage the VMWare Sphere 6.0 instance. Finally, you need a copy of the Lighthouse 5.2.0 binary in Open Volume Format, the .ovf file, either copied to the Windows computer running the VMWare vSphere 6.0 client or available via a URL.

This procedure was tested using the VMware Sphere Client 6.0 running on Windows 7 Enterprise SP 1.

3.2.1 Launch the vSphere Client and connect to a vSphere instance. 1. Launch the VMware vSphere Client. The simplest way is to use the Start Menu shortcut added during installation. Start > All Programs > VMware > VMware vSphere Client The VMware vSphere Client opens a login window.

Lighthouse 5.2 User Guide 11

2. Select the IP address or name of the VMware vSphere instance where you want to install Lighthouse 5.2.0 from the IP address/Name drop-down list. 3. Enter the User name and Password required to gain management privileges to the selected VMware vSphere instance. 4. Click Login or press Return. The login window displays progress text in the bottom left corner: Connecting Loading inventory Loading main form Displaying main form The vSphere main form window opens.

3.2.2 Import the Lighthouse 5.2.0 VM Open Volume Format (.ovf) image 1. From the vSphere Client menu bar, choose File > Deploy OVF Template. The Deploy OVF Template window appears, with the first stage, Source, pre-selected. 2. If the file Opengear Lighthouse VM.ovf is on a remote computer via a URL, enter this URL in the Deploy from a file or URL field. Otherwise, click Browse. An Open dialog appears. Navigate to the directory containing the file Opengear Lighthouse VM.ovf.

Lighthouse 5.2 User Guide 12

In the following screenshot, the file is located at C:\Users\%USERNAME%\My Documents\Ironman.ovf\Opengear Lighthouse VM\.

Select Opengear Lighthouse VM.ovf and click Open. 3. The Deploy OVF Template window opens again, with the Opengear Lighthouse VM.ovf file listed in the Deploy from a file or URL combo-box. Click Next. 4. The OVF Template Details stage appears, showing basic information about the Lighthouse VM encapsulated by the .ovf file. Click Next. 5. The Name and Location screen appears with the Name field pre-populated and pre-selected. The default name is Opengear Lighthouse VM. To change this, enter a new name. Click Next. 6. The Disk Format screen displays which data-store the Lighthouse VM’s virtual disk uses, how much free space the virtual disk has available and which provisioning scheme is being used. Click Next. 7. The Network Mapping screen shows which destination or inventory network the Lighthouse VM’s virtual network is mapped to. Click Next. 8. The Ready to Complete screen appears, listing the basic properties of the about-to-be-deployed virtual machine. If you wish to power-up the new virtual machine immediately after deployment, select the Power on after deployment checkbox. Click Finish. 9. The Deploying Opengear Lighthouse VM progress dialog appears.

Lighthouse 5.2 User Guide 13

10. Once deployment has finished the Deployment Completed Successfully alert appears. Click Close. The new virtual machine is now deployed and appears in the inventory list.

3.2.3 Launch the Opengear Lighthouse 5.2.0 virtual machine

The vSphere Client provides several ways of launching a Virtual Machine hosted on a vSphere instance. Begin by selecting the Opengear Lighthouse VM from the vSphere Client’s inventory list. The selected VM can then be launched by doing one of the following:

1. Select Inventory > Virtual Machine > Power > Power On. 2. Press Ctrl-B. 3. Click the Power on the virtual machine link in the Basic Tasks section of the Getting Started tab. This option requires the Getting Started tab be front-most. If it is not already the front-most tab, make it active by clicking it.

Select Inventory > Virtual Machine > Open Console and then:

• Click Power On in the console tool bar, or • Choose VM > Power > Power On from the console menu bar, or • Press Ctrl-B.

NOTE: Only the last option above results in the running virtual machine being accessible from within the vSphere Client. The first three boot the Lighthouse VM and get it running headless.

Lighthouse 5.2 User Guide 14

3.2.4 Access the console of a running but headless Opengear Lighthouse instance

If direct interaction with a running but headless *Opengear Lighthouse VM* is required, open a console window.

Select the running Opengear Lighthouse VM in the vSphere Client’s inventory list, then do one of the following:

• Select Inventory > Virtual Machine > Open Console or • Right-click and select Open Console from the contextual menu that appears.

NOTE: A Lighthouse VM is currently running a bash shell with no other interactive options. As a result, when the vSphere Client opens its console window, the Lighthouse VM will capture the mouse pointer, making it unavailable for use by any other window. Press CTRL+ALT to release the pointer.

3.3 VMware Workstation Player on Windows as host

Follow these steps when VMware Workstation Player is installed on the host Windows machine. VMware- ready virtual machine files are stored in C:\Users\%USERNAME%\Virtual Machines\. This is the location selected by default by VMware Workstation Player. If another location is preferred, adjust this procedure as required.

Prepare the Lighthouse VM file for import into VMware Workstation Player.

1. Move the lighthouse-5.2.0-vmx.zip archive to C:\Users\%USERNAME%\Virtual Machines\. 2. Right-click the lighthouse-5.2.0-vmx.zip archive and select Extract all from the contextual menu. 3. A Select a Destination and Extract Files dialog will open. By default, the location is the same folder as the archive is in: C:\Users\%USERNAME%\Virtual Machines\. Leave this as the destination folder. 4. Uncheck the Show extracted files when complete checkbox and then click Extract. 5. A folder called ironman will be created inside C:\Users\%USERNAME%\Virtual Machines\.

Import the Opengear Lighthouse VM file into VMware Workstation Player.

1. Launch VMware Workstation Player. 2. Click Open a Virtual Machine. 3. Navigate to C:\Users\%USERNAME%\Virtual Machines\ironman\.

VMware Workstation Player points to Libraries > Documents and includes C:\Users\%USERNAME%\My Documents\.

Assuming this is the case, double-click Virtual Machines and then double-click Ironman.

Lighthouse 5.2 User Guide 15

4. If only one file — Ironman — is visible, double-click it to add the Lighthouse 5.2.0 virtual machine to the VMware Workstation 12 Player virtual machines list. If more than one file appears, double- click Ironman.vmx. 5. The Lighthouse virtual machine is added to the VMware Workstation 12 Player virtual machines list. 6. With Opengear Lighthouse VM selected in the VMware Workstation 12 Player virtual machine list, click Play virtual machine to boot Lighthouse.

3.4 VMware Workstation Pro on Windows as host

This procedure assumes VMware Workstation Pro is already installed on the host Windows machine and that VMware-ready virtual machine files are stored in C:\Users\%USERNAME%\Virtual Machines\. If another location is preferred, adjust the steps as needed.

Prepare the Opengear Lighthouse VM file for import into VMware Workstation Pro.

1. Move the lighthouse-5.2.0-vmx.zip archive to C:\Users\%USERNAME%\Virtual Machines\. 2. Right-click the lighthouse-5.2.0-vmx.zip archive and select Extract all from the contextual menu. 3. A Select a Destination and Extract Files dialog opens. The location is the same folder as the PKZip archive is in: C:\Users\%USERNAME%\Virtual Machines\. Leave this as the destination folder. 4. Uncheck the Show extracted files when complete checkbox and then click Extract. 5. A folder called ironman will be created inside C:\Users\%USERNAME%\Virtual Machines\.

Import the Opengear Lighthouse VM file into VMware Workstation Pro.

1. Click Open a Virtual Machine. 2. Navigate to C:\Users\%USERNAME%\Virtual Machines\ironman\. 3. VMware Workstation Pro points to Libraries > Documents and this library includes C:\Users\%USERNAME%\My Documents\. Double-click Virtual Machines and then double-click Ironman. 4. If only one file — Ironman — appears, double-click it to add the Lighthouse 5.2.0 virtual machine to the VMware Workstation Pro virtual machines list. If more than one file appears, double-click Ironman.vmx. 5. The Lighthouse 5.2.0 virtual machine is added to the VMware Workstation Pro virtual machines list. 6. With the Opengear Lighthouse VM selected in the My Computer listing and the subsequent Opengear Lighthouse VM tab open, click Power on this virtual machine to boot Lighthouse.

3.5 VMware Workstation Player or Pro on Fedora Workstation as host

VMware Workstation Player 12 cannot be installed on Fedora 25 without substantial reconfiguration of a base Fedora Workstation setup. Moreover, the reconfiguration leaves Fedora Workstation in a state that is entirely unsupported by any external entity.

Lighthouse 5.2 User Guide 16

Once appropriately reconfigured, it seems likely that Lighthouse 5.2.0 will run in VMware Workstation Player 12 on Fedora Workstation. At this stage Opengear does not support this particular combination of host operating system and virtual machine manager.

3.6 Local deployment on Hyper-V running on Windows 10/Windows Server 2016

This procedure assumes Hyper-V is already installed on a Windows 10/Windows Server 2016 host machine. This procedure also assumes the required Zip archive, ironmam-hyperv.zip is in C:\Users\%USERNAME%$\Downloads.

1. Unzip ironman-hyperv.zip. 2. Navigate to the extracted folder. Make sure ironman.vhd and lighthouse_virtual_machine_registration.ps1 are in the folder. 3. Right-click and choose Run with Powershell to execute the Powershell script. 4. Leave the host name empty when prompted to deploy Lighthouse to local machine. 5. Launch Hyper-V Manager. Lighthouse should be registered as a new VM image under Virtual Machine. 6. Select Lighthouse from the list and click Start in the Action Panel to boot Opengear Lighthouse.

3.7 Remote Hyper-V deployment with pre-authenticated user In this scenario, the user who performs Lighthouse deployment does not have local access to Hyper-V installed on Windows 2016. However, user has access to a Windows 10 which can manage the Hyper-V server remotely. This procedure assumes Hyper-V is installed on Windows Server 2016 host machine. Windows 10 is already configured to manage Hyper-V on Windows Server 2016. Windows 10 and Windows Server 2016 must have the same user (same password) created. It is assumed the user who performs the deployment has permission to both execute the Powershell script and deploy the image on Hyper-V. This procedure also assumes the required Zip archive ironman-hyperv.zip is in C:\Users\%USERNAME%$\Downloads.

1. Login to Windows 10 with the user mentioned above. 2. Unzip ironman-hyperv.zip 3. Navigate to the extracted folder. Make sure ironman.vhd and lighthouse_virtual_machine_registration.ps1 are in the folder. 4. Right-click and choose Run with Powershell to execute the Powershell script. 5. Enter the fully qualified domain name for Windows Server 2016 when prompted to deploy Lighthouse to the remotely-managed Windows Server 2016 machine. 6. Launch Hyper-V Manager. Lighthouse should be registered as a new VM image under Virtual Machine for Windows Server 2016. 7. Select Lighthouse from the list and click Start in the Action Panel to boot Opengear Lighthouse.

3.8 Remote Hyper-V deployment with different user

In this scenario, the user who performs Lighthouse deployment does not have local access to Hyper-V installed on Windows Server 2016. However, user has access to Windows 10 which can manage the Hyper-V server remotely. It is assumed the user who performs the deployment has permission to both

Lighthouse 5.2 User Guide 17 execute the Powershell script and deploy the image on Hyper-V. This procedure assumes Hyper-V is installed on Windows Server 2016 host machine. Windows 10 is already configured to manage Hyper-V on Windows Server 2016. This procedure also assumes the required Zip archive, ironmam-hyperv.zip, is in C:\Users\%USERNAME%$\Downloads.

1. Login to windows 10 with a user who does not exist on Windows Server 2016. 2. Unzip ironman-hyperv.zip. 3. Navigate to the extracted folder. Make sure ironman.vhd and lighthouse_virtual_machine_registration.ps1 are in the folder. 4. Right-click and choose Run with Powershell to execute the Powershell script. 5. Enter the fully qualified domain name for Windows Server 2016 when prompted to deploy Lighthouse to remotely -managed Windows Server 2016 machine. 6. Enter the user details created on Windows Server 2016 which has permission to deploy Hyper-V. 7. Launch Hyper-V Manager. Lighthouse should be registered as a new VM image under Virtual Machine for Windows Server 2016. 8. Select Lighthouse from the list and click Start in the Action Panel to boot Opengear Lighthouse.

3.9 VirtualBox on Windows as host

NOTE: If you have a Skylake processor, we recommend that you do not use VirtualBox.

NOTE: We recommend that VirtualBox users customize their instances and change their network cards to one other than e1000. We also suggest virtio for better performance.

This procedure assumes VirtualBox is already installed on the host machine. This procedure also assumes the required PKZip archive, lighthouse-5.2.0-ovf.zip is in C:\Users\%USERNAME%$\Downloads.

1. Unzip ironman-ovf. It may appear as lighthouse-5.2.0-ovf.zip depending on your Windows Explorer preference settings). 2. Right-click the ironman-ovf archive and select Extract all from the contextual menu. 3. The Select a Destination and Extract Files dialog opens. The destination is C:\Users\%USERNAME%\Downloads\Ironman-ovf. 4. Uncheck the Show extracted files when complete checkbox and edit the destination by removing Ironman-ovf from the path. 5. Click Extract. 6. A folder called ironman-ovf is created inside C:\Users\%USERNAME%\Downloads\. 7. Launch VirtualBox. 8. The Oracle VM VirtualBox Manager window appears. 9. Choose File > Import Appliance. 10. The Appliance to import dialog opens. 11. Click Expert Mode. 12. The Appliance to import dialog changes from Guided Mode to Expert Mode. 13. Click the icon of a folder with an upward pointing arrow superimposed. This icon is to the far right of the Appliance to import field. 14. The Open File dialog appears with C:\Users\%USERNAME%\Documents as the current folder.

Lighthouse 5.2 User Guide 18

15. Navigate to C:\Users\%USERNAME%\Downloads\Ironman.ovf\Opengear Lighthouse VM\. 16. Select the file Opengear Lighthouse VM and click Open. 17. Double-click the text vm in the Name row and Configuration column to make it editable. 18. Type Opengear Lighthouse VM and press Enter. 19. Click Import. 20. A new virtual machine, called Opengear Lighthouse VM is added to the list of virtual machines available to Virtual Box. 21. Select Opengear Lighthouse VM from the list. 22. Choose Machine > Settings. (Alternatively, click the Settings icon in the VirtualBox Manager toolbar, or press Control+S.) 23. The Opengear Lighthouse VM — Settings dialog appears. 24. Click the System option in the list of options running down the left-hand side of the dialog. 25. The dialog shows the System options available as three tabs: Motherboard, Processor, and Acceleration. Depending on the underlying hardware platform, Acceleration may be greyed-out and unavailable. The Motherboard tab is preselected. 26. In the Motherboard tab, select the Hardware Clock in UTC Time checkbox. 27. Click OK or press Return. 28. Select Opengear Lighthouse VM from the list and click Start in the Oracle VM VirtualBox Manager toolbar to boot Lighthouse. Double-clicking Opengear Lighthouse VM in the list also boots Lighthouse.

NOTE: Selecting the Hardware Clock in UTC Time checkbox is necessary because Lighthouse expects the hardware clock to be set to UTC, not local time. Unlike other Virtual Machine Managers, Virtual Box both exposes this option as a user-adjustable setting and does not set it to UTC by default.

3.10 VirtualBox on macOS as host

VirtualBox should already installed on the host macOS machine. This procedure also assumes the required PKZip archive, lighthouse-5.2.0-ovf.zip is in ~/Downloads.

1. Unzip lighthouse-5.2.0-ovf.zip.

This creates a folder — Ironman-ovf — in ~/Downloads that contains the following files and folders:

Ironman-ovf └── Opengear Lighthouse VM ├── Opengear Lighthouse VM.ovf └── Opengear_Lighthouse_VM-disk1.vmdk

2. Launch Virtual Box. The Oracle VM VirtualBox Manager window appears. 3. Choose File > Import Appliance or press Command+I. 4. The Appliance to import dialog sheet slides down from the Oracle VM VirtualBox Manager toolbar.

Lighthouse 5.2 User Guide 19

5. Click Expert Mode. The Appliance to import dialog sheet changes from Guided Mode to Expert Mode. 6. Click the icon of a folder with an upward pointing arrow superimposed. This icon is to the far-right of the Appliance to import field. 7. The Open File dialog sheet slides down from the Oracle VM VirtualBox Manager toolbar. This sheet opens with ~/Documents as the current folder. 8. Navigate to ~/Downloads/Ironman.ovf/Opengear Lighthouse VM/. 9. Select Opengear Lighthouse VM and click Open. (Depending on your Finder Preferences settings, the file may present as Opengear Lighthouse VM.ovf.) 10. Double-click the text vm in the Name row and Configuration column to make it editable. 11. Type Opengear Lighthouse VM and hit Return. 12. Click Import. A new virtual machine, called Opengear Lighthouse VM is added to the list of virtual machines. 13. Select Opengear Lighthouse VM from the list. 14. Choose Machine > Settings. Or click the Settings icon in the VirtualBox Manager toolbar. The Opengear Lighthouse VM — Settings dialog appears. 15. Click the System option in the dialog’s toolbar. 16. The dialog shows the System options available as three tabs: Motherboard, Processor, and Acceleration. (Depending on the underlying hardware platform, Acceleration may be greyed-out and unavailable). The Motherboard tab is preselected. 17. In the Motherboard tab, select the Hardware Clock in UTC Time checkbox. 18. Click OK or press Return. 19. Select Opengear Lighthouse VM from the list and click Start in the Oracle VM VirtualBox Manager toolbar to boot Lighthouse. (Double-clicking Opengear Lighthouse VM in the list also boots Lighthouse.)

NOTE: Selecting the Hardware Clock in UTC Time checkbox is necessary because Lighthouse expects the hardware clock to be set to UTC, not local time. Unlike other Virtual Machine Managers, Virtual Box both exposes this option as a user-adjustable setting and does not set it to UTC by default.

NOTE: By default, VirtualBox stores virtual machines in ~/VirtualBox VMs. If this is the first virtual machine setup by VirtualBox, it will create the VirtualBox VMs folder in the current user’s home- directory and create a folder — Opengear Lighthouse VM — inside the VirtualBox VMs folder. The Opengear Lighthouse VM folder contains the files and folders which make up Lighthouse when run under Virtual Box.

3.11 VirtualBox on Ubuntu as host

Before beginning, make certain that VirtualBox and all required support files are installed on the host machine and the PKZip archive, lighthouse-5.2.0-ovf.zip is in ~/Downloads.

1. Unzip lighthouse-5.2.0-ovf.zip.

This creates a folder — Ironman-ovf — in ~/Downloads that contains the following files and folders:

Ironman-ovf

Lighthouse 5.2 User Guide 20

└── Opengear Lighthouse VM ├── Opengear Lighthouse VM.ovf └── Opengear_Lighthouse_VM-disk1.vmdk

2. Launch Virtual Box. 3. The Oracle VM VirtualBox Manager window appears. 4. Choose File > Import Appliance. 5. The Appliance to import dialog opens. 6. Click Expert Mode. 7. The Appliance to import dialog changes from Guided Mode to Expert Mode. 8. Click the icon of a folder with an upward pointing arrow superimposed. This icon is to the far right of the Appliance to import field. 9. A file-navigation dialog, Please choose a virtual appliance to import, opens with ~/Documents as the current folder. 10. Navigate to ~/Downloads/Ironman.ovf/Opengear Lighthouse VM/. 11. Select Opengear Lighthouse VM.ovf and click Open. 12. Double-click the text vm in the Name row and Configuration column to make it editable. 13. Type Opengear Lighthouse VM and hit Return. 14. Click Import. 15. A new virtual machine, called Opengear Lighthouse VM is added to the list of virtual machines available to Virtual Box. 16. Select Opengear Lighthouse VM from the list and click Start in the Oracle VM VirtualBox Manager toolbar to boot Lighthouse. Double-clicking Opengear Lighthouse VM in the list also boots Lighthouse.

NOTE: VirtualBox stores virtual machines in ~/VirtualBox VMs. If this is the first virtual machine setup by VirtualBox it will create the VirtualBox VMs folder in the current user’s home-directory and create a further folder — Opengear Lighthouse VM — inside the VirtualBox VMs folder. Inside Opengear Lighthouse VM are the files and folders which make up Lighthouse when run under Virtual Box.

3.12 VirtualBox on Fedora Workstation as host

Before beginning, make certain that VirtualBox and all required support files are already installed on the host machine and the PKZip archive, lighthouse-5.2.0-ovf.zip is in ~/Downloads.

1. Unzip lighthouse-5.2.0-ovf.zip. This creates a folder — Ironman.ovf — in ~/Downloads that contains the following files and folders:

Ironman.ovf └── Opengear Lighthouse VM ├── Opengear Lighthouse VM.ovf └── Opengear_Lighthouse_VM-disk1.vmdk

2. Launch Virtual Box. The Oracle VM VirtualBox Manager window appears. 3. Choose File > Import Appliance or press Control-I. The Appliance to import dialog opens.

Lighthouse 5.2 User Guide 21

4. Click Expert Mode. The Appliance to import dialog changes from Guided Mode to Expert Mode. 5. Click the icon of a folder with an upward pointing arrow superimposed. This icon is to the far right of the Appliance to import field. The Open File dialog opens with ~/Documents as the current folder. 6. Navigate to ~/Downloads/Ironman.ovf/Opengear Lighthouse VM/. 7. Select Opengear Lighthouse VM and click Open. 8. Double-click the text vm in the Name row and Configuration column to make it editable. 9. Type Opengear Lighthouse VM and hit Return. 10. Click Import. A new virtual machine, called Opengear Lighthouse VM is added to the list of virtual machines available to Virtual Box. 11. Select Opengear Lighthouse VM from the list and click Start in the Oracle VM VirtualBox Manager toolbar to boot Lighthouse. Double-clicking Opengear Lighthouse VM in the list also boots Lighthouse.

NOTE: VirtualBox stores virtual machines in ~/VirtualBox VMs. If this is the first virtual machine setup by VirtualBox, it will create the VirtualBox VMs folder in the current user’s home-directory and create a further folder — Opengear Lighthouse VM — inside the VirtualBox VMs folder. Inside Opengear Lighthouse VM are the files and folders which make up Lighthouse when run under Virtual Box.

3.13 Virtual Machine Manager (KVM) on Ubuntu as host

Virtual Machine Manager and all required support files should be installed on the host machine and the the .xz archive, lighthouse-5.2.0-raw.hdd.xz is in ~/Downloads.

1. Expand lighthouse-5.2.0-raw.hdd.xz. This extracts lighthouse-5.2.0-raw.hdd in ~/Downloads. 2. Launch Virtual Machine Manager. 3. Click New at the top left of the Virtual Machine Manager window (or choose File > New Virtual Machine). The Source Selection window opens. 4. Click Select a file. A Select a device or ISO file dialog slides into view. 5. Navigate to ~/Downloads/. 6. Select the file lighthouse-5.2.0-raw.hdd and click Open in the top right-hand corner of the dialog. A Review window opens providing basic information about the virtual machine or box, as Boxes calls them, to be created. 7. Click Create in the top right corner of the Review window. 8. A new virtual machine instance, Opengear_Lighthouse_VM-disk1, is created and presented in the Boxes window. 9. To rename the virtual machine instance, right-click on the machine instance and choose Properties from the contextual menu that appears. Click anywhere in the Name field to select and edit the name. Click the close box to save the changes.

Lighthouse 5.2 User Guide 22

3.14 Boxes on Fedora Workstation as host

Boxes and all required support files should be installed on the host machine and lighthouse-5.2.0- ovf.zip is in ~/Downloads.

1. Unzip lighthouse-5.2.0-ovf.zip. This creates a folder — Ironman.ovf — in ~/Downloads that contains the following files and folders:

Ironman.ovf └── Opengear Lighthouse VM ├── Opengear Lighthouse VM.ovf └── Opengear_Lighthouse_VM-disk1.vmdk

2. Launch Boxes. 3. Click New in the Boxes window title bar. The Source Selection window opens. 4. Click Select a file. A Select a device or ISO file dialog opens. 5. Navigate to ~/Downloads/Ironman.ovf/Opengear Lighthouse VM/. 6. Select the file Opengear_Lighthouse_VM-disk1.vmdk and click Open in the top right-hand corner of the dialog. A Review window opens providing basic information about the virtual machine (or ‘box’, as Boxes calls them) to be created 7. Click Create in the top right corner of the Review window. 8. A new virtual machine instance, Opengear_Lighthouse_VM-disk1 is created and presented in the Boxes window. 9. To rename the virtual machine instance, right-click on the machine instance and choose Properties from the contextual menu that appears. Click anywhere in the Name field to select and edit the name. Click Close to save the changes.

3.15 Boxes on CentOS as host

CentOS should be installed, complete with the Gnome desktop environment as the host operating system. CentOS includes the full complement of KVM-centric virtualization tools including the GUI-based virtualization management tools Boxes and virt-manager and the shell-based virtualization management tool virsh.

This procedure assumes Boxes is used to setup and manage the Lighthouse VM.

Finally, this procedure assumes the required PKZip archive, lighthouse-5.2.0-ovf.zip is in ~/Downloads.

1. Unzip lighthouse-5.2.0-ovf.zip.

This creates a folder — Ironman.ovf — in ~/Downloads that contains the following files and folders:

Ironman.ovf └── Opengear Lighthouse VM ├── Opengear Lighthouse VM.ovf

Lighthouse 5.2 User Guide 23

└── Opengear_Lighthouse_VM-disk1.vmdk

2. Launch Boxes 3. Click New in the Boxes title bar. 4. Navigate to ~/Downloads/Ironman.ovf/Opengear Lighthouse VM/ 5. Select Opengear Lighthouse VM and click Open. A new virtual machine, called Opengear LighthouseVM is added to the list of virtual machines available to Boxes.

Lighthouse 5.2 User Guide 24

4. First boot of the Lighthouse VM

During boot, two screens open.

1. The first notes the VM is Booting to latest installed image.

The selected image is Lighthouse Root 1. Two other images are available: Lighthouse Root 1 and Memtest86+. Do not change the boot image the VM boots from.

2. The second screen prompts you to Select Lighthouse boot mode and displays four options:

• Graphics console boot • Graphics console recovery mode • Serial console boot • Serial console recovery mode

3. Graphics console boot is pre-selected and should not be changed. 4. After the first boot has completed a message appears:

Welcome to Ironman. This is software version: 5.2.0

5. The final procedure in the initial setup appears:

To complete initial setup, please set a new root password. Press ENTER to continue.

6. After pressing Enter, a prompt appears:

Enter new root password:

7. Enter a strong, high-entropy password and press Enter. 8. The confirm prompt appears:

Confirm given password

9. Re-enter the password and press Enter. 10. Multiple configuration notices present ending with a login prompt:

opengear-lighthouse login:

11. Enter root (the only user able to login at this point) and press Enter. 12. A password prompt appears:

Password:

13. Enter the newly-set password and press Enter. 14. A standard bash shell prompt appears.

Lighthouse 5.2 User Guide 25

root@opengear-lighthouse:~#

5. Initial system configuration

5.1 Loading Lighthouse

When the Lighthouse VM is booted and running, it is addressable at either of two IP addresses:

• The fixed address, 192.168.0.1, or • The address it is assigned by any DHCP server it finds.

Open a new browser window or tab and enter:

1. https://192.168.0.1/ or https://[DHCP-supplied address]/ in the address bar 2. Press Return. The Lighthouse Login page loads.

5.2 Login to Lighthouse

To login to Lighthouse:

1. Enter a username in the Username field. 2. Enter the password in the Password field. 3. Click Log In or press Enter. The Dashboard loads. 4. Click System right top icon to see Current user.

Lighthouse 5.2 User Guide 26

NOTE: The appearance of the Dashboard, the Sidebar, and other Lighthouse pages, will depend on the privileges assigned to the logged-in user. In this guide, screenshots represent what the root user sees. Users with different privileges will see filtered views of available nodes, users, groups, tags and Smart Groups and will have different privileges regards creating and changing settings within Lighthouse. For example, users other than root can edit their own account settings but cannot edit other user’s accounts. A user may also be restricted to what they can do with enrolled nodes or what new nodes they can enroll.

5.3 Setting the Lighthouse hostname

To set the hostname for a running Lighthouse instance:

1. Select Settings > System > Administration. 2. Edit the Hostname field as required.

3. Click Apply.

5.4 Adding external IP addresses manually (optional)

Adding a Lighthouse instance’s external IP address or addresses to a Lighthouse instance’s configuration is an optional step.

Lighthouse 5.2 User Guide 27

To add a single external address:

1. Select Settings > System > Administration.

2. In the Address field of the External Network Addresses section, enter an IP address. 3. (Optional step) Change the API Port, VPN Port or both, if the ports used on the entered IP address are different from the default (443 and 1194, respectively). 4. Click Apply.

To manually add further external addresses to a Lighthouse instance’s configuration:

1. Click the + button. A second row appears in the External Network Addresses section. 2. In the newly presented Address field, enter an IP address. 3. (Optional step) Change the API Port, VPN Port or both, if the ports used on the entered IP address are different from the default (443 and 1194, respectively). 4. Add further IP addresses as required by repeating the steps above. 5. Click Apply.

To change the order in which manually-added IP addresses are sent to remote nodes:

1. Click the up and down arrows in the Order column to change the order in which the IP addresses are listed. The presented order reflects the order in which these addresses are sent out. 2. Click Apply.

If external IP addresses are manually added to a Lighthouse configuration, these addresses are sent to a remote node during enrollment. If no external IP address is manually added to a Lighthouse configuration, default external IP addresses are used.

The external IP addresses are sent to a remote node during enrollment in the following order:

1. net1:dhcp 2. net1:static

Lighthouse 5.2 User Guide 28

3. The IP address connected to the default gateway.

5.5 Setting the Lighthouse internal clock

To set the time zone:

1. Select Settings > Date & Time > Time Zone. 2. Select the Lighthouse instance’s time-zone from the Time Zone dropdown list. 3. Click Apply.

To set the correct time and date, either

1. Select Settings > Date & Time > Manual Settings. 2. Enter the current Date and Time. 3. Click Apply.

Lighthouse 5.2 User Guide 29

or

1. Select Settings > Date & Time > Automatic Settings. 2. Click the Enabled checkbox. 3. Enter a working NTP Server address in the NTP Server Address field. 4. Click Apply.

5.6 Examine or modify the Lighthouse SSL certificate

Lighthouse ships with a private SSL Certificate that encrypts communications between it and your browser.

Lighthouse 5.2 User Guide 30

To examine this certificate, or generate a new Certificate Signing Request select Settings > Services > HTTPS Certificate. The details of the Current SSL Certificate appear.

Below this listing is a Certificate Signing Request form, which can be used to generate a new SSL certificate.

5.7 Examine or modify Lighthouse Session Settings

To modify Web and CLI session settings select Settings > Services > Session Settings.

• Web Session Timeout: This value can be set from 1 to 1440 minutes. • CLI Session Timeout: This value can be set from 1 to 1440 minutes. You can also set it to 0 to disable the timeout. Changes will take effect the next time a user logs in via the CLI. • Enable additional enrollment-only REST API port: This port defaults to 8443. When this option is enabled, only /nodes endpoint is accessible via port 8443(GET/POST/PUT) and all other endpoints return a 404 Not Found error. Enabling this API allows users who are using NAT for the Lighthouse to expose an external port publicly only for nodes that are attempting to enroll to the Lighthouse, and not for the other functionality available from the REST API. After this option is disabled, all endpoints should be accessible as per normal usage.

Lighthouse 5.2 User Guide 31

5.8 Examine or change the MTU of the Lighthouse VPN tunnel

The MTU setting can be configured for traffic that is travelling through the Lighthouse VPN in an attempt to solve MTU path discovery problems. To examine the MTU of the Lighthouse VPN tunnel, or to modify it, select Settings > Services > Lighthouse VPN. Allowed values are between 1280 and 1500.

5.9 Enable or modify SNMP Service SNMP settings can be configured through the Lighthouse VPN. Select Settings > Services > SNMP Service. It is accessible only by users assigned to the Lighthouse Administrator role.

Lighthouse supports both v1/v2 and v3 SNMP, and you can have either or both running at the same time. The SNMP service is not enabled by default and will only start once it has been configured correctly. If the user does not provide an engineID, the auto-generated ID coming out of snmpd will be displayed. Only standard enterprise MIBs can be used currently, Lighthouse Health statistics (load/uptime/memory usage, etc.) can be retrieved.

Lighthouse 5.2 User Guide 32

To enable SNMP Service,

1. Select the Enable checkbox. 2. Choose from the v1/v2c and v3 checkboxes. 3. Fill in the appropriate information for the SNMP versions. 4. Click Apply.

5.10 Network connections

To see the network connections available to Lighthouse, select Settings > Network Connections > Network Interfaces

Lighthouse 5.2 User Guide 33

This displays only two connections: static and DHCP interfaces.

If you log in to the Lighthouse VM and run ifconfig, the two connections listed correspond to the following returned interfaces:

• default-static is net1:static. • default-DHCP is net1:dhcp.

To edit a given network interface:

1. Select Settings > Network Connections > Network Interfaces 2. Click Edit in the Actions section of the network interface to be modified. 3. Make the desired changes. 4. Click Apply.

NOTE: Don’t change the configuration method. Instead, disable the interface you don’t want to use by unchecking the Enabled checkbox. If default-static and default-DHCP are changed to the same configuration method (i.e. both are set to Static assignment or both are set to DHCP) neither interface will work.

Lighthouse 5.2 User Guide 34

6. Shut down or restart Lighthouse

6.1 Shut down a running Lighthouse instance

To shut down a running Lighthouse instance:

1. Select Manage > Lighthouse > Local Terminal

2. At the Local Terminal login prompt enter a username with administrative privileges (e.g. root). 3. At the Password: prompt, enter that account’s password. A Last login date and time for that account are returned to STD OUT and a shell prompt for the newly logged in user appears. 4. Enter the command shutdown now and press Return. The virtual machine shuts down.

6.2 Restarting a running Lighthouse instance

To restart a running Lighthouse instance, follow the first three steps of the Shutting down a running Lighthouse instance procedure above. At the shell prompt, enter one of these commands and press Return:

• reboot • shutdown -r now

The Lighthouse virtual machine shuts down and reboots.

Lighthouse 5.2 User Guide 35

7. Using Lighthouse

After Lighthouse has been installed and configured, a small set of nodes should be enrolled, and a set of tags and smart groups should be created, that will allow nodes access to be filtered to the correct subset of users.

Once these nodes are installed, access to the Node’s Web UI and serial ports should be tested.

This section covers:

1. Licensing third-party nodes before enrollment 2. Enrolling nodes 3. Creating Smart Groups 4. Accessing the node’s Web UI 5. Accessing the node’s serial ports via Console Gateway

7.1 Licensing third-party nodes before enrollment

Lighthouse 5.2.0 includes support for managing third-party remote nodes.

Support for third-party remote nodes is not built-in to a new Lighthouse instance, however: it is added via a license.

A license is an encrypted, RFC 7519-compliant, JSON web token that contains key-value pairs describing the features and entitlements of a given third-party remote node. Licenses are distributed by Opengear and will be available as encrypted ASCII strings sent by e-mail via a fulfillment procedure.

Before enrolling a third-party remote node, its corresponding license must be added to Lighthouse as follows:

7.1.1 Adding a license using the Lighthouse UI

1. Select Settings > System > Licensing 2. Click the + button.

Lighthouse 5.2 User Guide 36

3. Paste the encrypted license text string into the License body text box. 4. Click Apply.

7.1.2 Showing installed licenses in the Lighthouse UI

To see all installed licenses, select Settings > System > Licensing.

Lighthouse 5.2 User Guide 37

Installed licenses are also shown on the Lighthouse dashboard at Monitor > Dashboard.

The dashboard also displays messages when:

• The number of nodes supported by a license has been reached or exceeded. • The maintenance period of a license has expired.

7.1.3 Showing installed licenses via the Local Terminal oglicdump is a shell-based tool that writes the current licensing status of a Lighthouse instance to STD OUT (or, using the -o switch, a file).

For example: # oglicdump { "OGLH": { "contact": { "email": "[email protected]", "name": "N/A", "phone": "N/A" }, "features": { "additional": { "thirdpartynodes": "1" }, "maintenance": 1599004800, "nodes": 250 } } }

If no licenses are installed, oglicdump returns the following:

# oglicdump

Lighthouse 5.2 User Guide 38

No data found

7.2 Enrolling nodes

7.2.1 Enrollment overview

Enrolling nodes is the process of connecting nodes to Lighthouse to make them available for access, monitoring, and management. Enrollment can be performed via:

• The Lighthouse Web UI • The Node Web UI • ZTP • USB key

Credentials must be provided to authenticate either the Lighthouse during enrollment via the Lighthouse WebUI, or the node during the other enrollment scenarios.

The Lighthouse VPN uses certificate-authenticated OpenVPN tunnels between Lighthouse and remote nodes. These tunnels rely on the time being synchronized between the Lighthouse instance and the console server or other remote node. During enrollment, if a remote node is not relying on an NTP server to set its time, it inspects the HTTP Date header sent by Lighthouse and sets its local time to match that of the Lighthouse instance.

If a remote node is relying on an NTP server to set its own time, it still checks the HTTP Date header sent by Lighthouse to affect the time synchronization but does not set its local time to that of the Lighthouse instance.

When enrolling via Lighthouse, an administration username and password for the node must be provided. When enrolling via the node, an enrollment token must be provided. A default enrollment token can be set on the Configure Nodes > Enrollment Settings page, and individual tokens set per enrollment bundle.

Enrollment is a two-step process:

1. Once enrollment starts, nodes receive their enrollment package, and establish a VPN connection to Lighthouse. 2. The node is now in the Pending state and needs to be Approved before the node is available for access, management, or monitoring.

NOTE: This second step can be skipped by selecting the Auto-approve node checkbox when configuring an enrollment bundle.

7.2.2 Enrollment bundles

An enrollment bundle is a downloadable file that stores provisioning information, allowing for bulk enrollment and manipulation of remote nodes.

Lighthouse 5.2 User Guide 39

Applying an enrollment bundle during enrollment allows tags to be associated with nodes when they’re first enrolled, rather than manually assigning tags after the nodes are enrolled.

This is useful for larger roll-outs where there will be many nodes deployed with a similar configuration and responsibilities. If relevant Smart Groups and tags have been set up, newly enrolled nodes will be immediately visible for the relevant users to configure and use.

Associating templates with an enrollment bundle allows to run a set of templates on a node, after it has been enrolled. Any template currently defined on the Lighthouse can be added to an enrollment bundle, and each bundle supports any number of templates.

7.2.3 Creating an enrollment bundle

An enrollment bundle file, manifest.og, contains a series of field-value pairs that an unconfigured device can use to configure itself.

Options that can be set in manifest.og include new firmware, custom configuration scripts, OPG config files, and Lighthouse enrollment details.

By default, manifest.og includes the following field-value pairs (with example values): address=192.168.88.20 api_port=4443 bundle=bne-dc password=secret

Custom field-value pairs can be added manually. The field names are potential field names for a real- world, customized file, but the values following each field name are examples: script=configure_ports.sh image=acm7000-3.16.6.image external_endpoints=192.168.1.2:4444,192.168.1.3:4445

A manifest.og file can be created in a Lighthouse instance as follows:

1. Select Configure Nodes > Enrollment Bundles

Lighthouse 5.2 User Guide 40

2. Click the + button. The Enrollment Bundle Details dialog appears.

3. Enter a Name and Authentication Token for the bundle in the respective fields. 4. Select the number of Tags and Values to apply to any nodes that enroll using this enrollment bundle. 5. (Optional) Select the Auto-approve node checkbox.

When this is checked, a device configured using this enrollment bundle is not placed in pending mode during the enrollment process. Instead, it is automatically approved for enrollment after it has been identified.

Lighthouse 5.2 User Guide 41

With the enrollment bundle named, use the Enrollment Bundle Node Tags to populate it with the desired name-value pairs:

1. Select a field name from the left-most drop-down menu. 2. Select or enter a value from the right-most drop-down menu. 3. Click the + button to add a new pair of drop-down menus. 4. Select another field name and select or enter another value. 5. Repeat until all desired name-value pairs are displayed. 6. Click Apply.

With the enrollment bundle named, use the Templates to populate it with the desired list of templates to be applied post-enrollment:

1. Click the + button to add a new pair of drop-down menus. 2. Select a value from the Template Type menu. The selected template type will filter the available names to those templates that are of that type. Note that to apply script templates, nodes need to be running firmware version 4.1.1 or later. 3. Select a value from the Template Name menu. 4. Repeat until all desired type-name pairs are displayed. 5. Click Apply. 6. The templates in the table can be reordered using the arrow buttons in the far-left column of the table and are executed in the order they appear. The order buttons appear if there is more than one template in the table.

Template push operations will stop from continuing if one template fails.

7.2.4 Enrollment via Lighthouse Web UI

1. Select the Add Node shortcut in the top menu bar to bring up the new enrollment dialog. 2. Select the Product type from the Product drop-down menu. 3. Available options in the Product drop-down menu are:

• An Opengear device • A generic third-party device • An Avocent ACS6000 • An Avocent ACS8000 • An Avocent ACS Classic • A Cisco 2900 Series

Lighthouse 5.2 User Guide 42

NOTE: Enrolling an Avocent ACS6000, an Avocent ACS8000, an Avocent ACS Classic, or a Cisco 2900 Series requires the device’s license to have been added as per the Licensing third-party nodes before enrollment procedure above. If an appropriate license has not been added to Lighthouse, the procedure will return a No licenses have been applied error and the node will not be added to Lighthouse.

4. Enter the Name, Network Address, Username, and Password of the node being enrolled. The Username and Password fields are for the login credentials required by the remote node being enrolled, not the login credentials used to login to the Lighthouse instance.

NOTE: Lighthouse populates the node name field with the hostname of the enrolled node rather than a user provided value. It is no longer possible for users to specify a custom name, except when enrolling third party nodes. Console servers with firmware 4.1.1 and higher provide their hostname in the node information, with pre-4.1 nodes instead just having their node id used as the name. Nodes enrolled prior to upgrading to 5.2.0 have their names switched to the new standard if the node is running 4.1.1 firmware but will retain their old name if older firmware is still installed.

5. To enroll a generic third-party device, there are three more required fields: Connection Method; Base Protocol Port; and Port Count.

NOTE: The following procedure assumes the third-party device’s license has been added as per the Licensing third-party nodes before enrollment procedure above. If an appropriate license has

Lighthouse 5.2 User Guide 43

not been added to Lighthouse, the procedure will return a No licenses have been applied error and the node will not be added to Lighthouse.

6. Choose SSH or Telnet from the Connection Method drop-down menu, as appropriate for the connection method supported by the third-party device. 7. Enter a base number in the Base Protocol Port. By default, this is set to 3000. The Base Protocol Port number is the starting port number from which the third-party device’s individual serial port network port numbers will be derived. 8. Enter the number of serial ports the third-party device has in the Port Count field. Below the Port Count field is a Serial Port Labels section. Whatever number is entered in the Port Count field, the Port Label x fields in this section will update to match this number in real-time. 9. Optionally, edit the labels used to identify each serial port in the Serial Port Labels section. 10. Click Apply.

Once enrolled, the console server’s details are automatically removed from the Pending Nodes page and automatically added to the Configure Nodes > Node Enrollment > Enrolled Nodes page.

Lighthouse 5.2 User Guide 44

NOTE: As of Lighthouse 5.1.0, third-party devices are added to the config server but not enrolled.

7.2.5 Enrollment via Node Web UI

If the Node is situated behind a firewall, Lighthouse will not be able to initiate an enrollment: it will need to be triggered from the Node Web UI.

1. Log into the Node Web UI. 2. Select Serial & Network > Lighthouse. 3. Enter the Server Address, the Enrollment Bundle (if a specific bundle is being used), and the Enrollment Token (either the global token or the bundle-specific token). 4. Select Apply Settings. The enrollment process begins.

7.2.6 Mass Enrollment using ZTP

For mass node enrollments using ZTP, three new custom DHCP fields are handled by ZTP scripts.

These fields contain the URL, Bundle Name and Enrollment Password used in an enrollment which is kicked off immediately after all other ZTP handling is completed. If a reboot is required because of a config file being provided the enrollment will start after the reboot. Otherwise it happens immediately.

Here is a sample configuration file for the ISC DHCP Server: option space opengear code width 1 length width 1; option opengear.config-url code 1 = text; option opengear.firmware-url code 2 = text; option opengear.enroll-url code 3 = text; option opengear.enroll-bundle code 4 = text; option opengear.enroll-password code 5 = text; class "opengear-config-over-dhcp-test" {

Lighthouse 5.2 User Guide 45

match if option vendor-class-identifier ~~ "^Opengear/"; vendor-option-space opengear; option opengear.config-url "http://192.168.88.1/config.xml"; option opengear.enroll-url "192.168.88.20"; option opengear.enroll-bundle ""; option opengear.enroll-password "default"; }

NOTE: The maximum amount of data allowable as DHCP options is 1200 bytes, including all overhead inherent in the structuring of this data. Individual options are limited to 255 characters.

7.2.7 Enrollment via USB drive

USB Enrollment enables the configuration of a device using a manifest file copied to a USB drive and inserted into the unconfigured device before it first boots.

Once created (see Creating an enrollment bundle above), manifest.og files can be downloaded from a Lighthouse instance as follows:

1. Select Configure Nodes > Node Enrollment > Enrollment Bundles. A list of existing Enrollment Bundles appears. 2. In the Actions column of the particular bundle you want to use, click the download button, a downward arrow in a circle. 3. Depending on your browser’s configuration, a manifest.og file will either be downloaded to your local system, probably to ~/Downloads or C:\Users\%USERNAME%\Downloads\ or your browser will present a dialog asking you to specify where download should be copied.

To enroll via USB drive:

4. Copy manifest.og to the root directory on a USB drive. 5. Plug the USB drive into an unconfigured and powered-down console server. 6. Power the console server up.

On first boot, the device looks for a file — manifest.og — on any USB drives attached to the device and configures the device based on their contents.

Lighthouse 5.2 User Guide 46

7.3 The Enrolled Nodes page

Configure Nodes > Node Enrollment > Enrolled Nodes lists all currently enrolled nodes in the order they are enrolled to Lighthouse.

It also displays details about each node (such as model, firmware version, serial number) and status.

Connection Status is the current status of the node and displays either of two things:

• Connected: Last status change x [time unit] ago: The time since Lighthouse connected to the console server. • Disconnected: last status change x [time unit] ago: The time since Lighthouse disconnected from the console server.

Configuration Retrieval Status displays if any configuration retrieval sections failed when performing a configuration sync with this node, such as Groups, Node Description, Authorization, or Serial Ports.

Configuration Template Run Status displays the result of the most recent configuration template push on this node, listing which templates finished applying, or failed to apply to the node. This information is displayed until the next template push has completed on this node.

The Configuration Retrieval Status and Configuration Template Run Status are not displayed if there is no relevant data to display and are only displayed for users with Lighthouse Administrator or Node Administrator permissions.

Here is what the results of the Configuration Retrieval Status and Configuration Template Run Status indicate:

• Success: all templates were successfully executed on the node.

Lighthouse 5.2 User Guide 47

• Partial Failure: some templates failed to execute on the node, or some config sections failed to synchronize. • Failure: all templates failed to execute on the node, or all config sections failed to synchronize.

The detailed information is shown in a popover that appears when the summary of each status is clicked on, navigated to, or hovered over. The format of the detailed information for each status shown on relevant popovers is as follows:

• Retrieval failed for: section_name, section_name, section_name. • Template(s) failed to apply: template_name, template_name, template_name. • Template(s) successfully applied: template_name, template_name, template_name.

7.4 Filtering pages displaying nodes

There are three ways to filter search results: Free Text Search, Smart Group Filtering, and Managed Device Filtering. They can be used independently from each other or in combination. Manage > Managed Devices > Console Gateway uses all of them because it is the only page which lists all nodes with managed devices.

7.4.1 Filtering using the Free Text Search field

The Free Text Search text-entry field allows the near real-time filtering. It searches over node name, firmware version, management VPN address, MAC address, and serial number. Type a string (e.g. 4.1.1 or 192.168.128.1 or CM7148) and press Return and only the nodes which include that string in their Name or Description will be displayed.

The Free Text Search field treats multiple search terms (i.e. terms delimited by the space character) as Boolean AND searches.

For example, a search on the string:

4.1.1 CM7148 will return any nodes that have both CM7148 AND 4.1.1 in searchable fields (e.g. CM7148 in the name field and 4.1.1 in the firmware version field).

To make a search string that contains spaces into a single searched entity, enclose the string in double quotes.

7.4.2 Filtering using the Smart Group Filtering drop-down menu

Selecting from the Select Smart Group drop-down menu will set the page to display the subset of nodes that belong to the selected group. See Creating Smart Groups below for how to create such groups.

Once a particular Smart Group has been selected, further filtering options become available. For example:

Lighthouse 5.2 User Guide 48

In the example above, the Configure Nodes > Node Enrollment > Enrolled Nodes page is being filtered on the SandyDevices Smart Group.

It is then being further filtered to only display nodes with a City of Sandy, and a Deployment of Remote.

To add more filtering options:

1. Click the + button. An extra row of drop-down menus appears. 2. Select the desired tag from the left-most drop-down menu. 3. Select the filtering operator from middle drop-down menu. 4. Select or enter the value to be filtered against from the right-most drop-down menu. 5. Click Apply.

7.4.3 Filtering using the Managed Device Filtering drop-down menu

Selecting from the Select Managed Device Filter drop-down menu will set the page to display the subset of nodes with filtered managed devices. See Creating Managed Device Filter below for how to create managed device filters.

Once a particular Managed Device Filter has been selected, further filtering options become available. For example:

In the example above, the Manage > Managed Devices > Console Gateway page is being filtered on the DC-west routers Managed Device Filter. It is then being further filtered to only display nodes with a Port Label Begins with router, and a Port Label Contains dc-west.

To add more filtering options:

1. Click the + button. An extra row of drop-down menus appears. 2. Select the Port Label from the left-most drop-down menu. 3. Select the filtering operator from middle drop-down menu. 4. Enter the value to be filtered against from the right-most drop-down menu. 5. Click Apply.

Lighthouse 5.2 User Guide 49

7.5 Creating Smart Groups

Smart Groups are saved search parameters used within Lighthouse for grouping related remote nodes.

A given User Group can be linked to a particular Smart Group. When a Group is linked in this fashion, members of the Group inherit rights over all nodes in the group based on the Group’s Role. See Modifying existing groups for how to set a Group’s Role and Linked Smart Group.

Smart Groups can also be used to filter visible nodes on pages that display enrolled nodes (such as Configure Nodes > Node Enrollment > Enrolled Nodes) to make it easier to drill down to a particular console.

Smart groups are dynamic, so as more nodes are added to the system, the filters will automatically update.

To create a Smart Group:

1. Navigate to any page which displays the Smart Group search interface, for example Configure Nodes > Node Enrollment > Enrolled Nodes or Manage > Nodes > Node Web UI. 2. Click on the Select Smart Group drop-down and select New Smart Group. This populates a number of new drop-downs and text boxes.

3. Click the Field to search drop-down to select a Node attribute to filter on.

These attributes include details about the device (Model, Firmware Version, Serial Number, NET1 MAC Address), and also include any tags that have been configured in the system. For filtering access to devices, tags are generally the most useful attribute to filter on. When a tag is selected, the Value text box becomes a drop down with the values for that tag.

4. Click the Operator drop-down to select the operator to apply to the Value. In general, the Is operator is the most useful. 5. Select the Value to be matched against. 6. Click Apply to see the results of the filter. 7. Click Save As and type in a name for the search.

This Smart Group can now be used for filtering nodes for display, and for access.

7.6 Editing an existing Smart Group

To edit an existing Smart Group:

Select Configure Nodes > Edit Smart Groups.

Lighthouse 5.2 User Guide 50

• Click the X icon to delete an existing Smart Group. • Click the Edit Group icon to change a Smart Group’s name.

To change the search parameters used by a Smart Group:

1. Navigate to a page that displays Smart Groups for filtering (e.g. Configure Nodes > Node Enrollment > Enrolled Nodes). 2. Select the Smart Group you wish to change from the Select Smart Group drop-down menu. 3. Change the parameters (e.g. Tag and Operator values) as required. 4. Click Save as.

5. Leave the Smart Group name unedited and click Apply. The changed Smart Group will overwrite the existing Smart Group.

7.7 Creating Managed Device Filters

Managed Device Filters are saved search parameters used within Lighthouse for grouping related managed devices on remote nodes.

Lighthouse 5.2 User Guide 51

Managed Device Filters can be used to filter visible nodes with managed devices on the Manage > Managed Devices > Console Gateway page to make it easier to find a particular console.

Managed Device Filters are dynamic, so as more nodes with managed devices which match saved filters are added to the system, the filters will automatically update.

To create a Managed Device Filter:

1. Navigate to the Manage > Managed Devices > Console Gateway page 2. Click on the Select Managed Device Filter drop-down and select New Managed Device Filter. This populates a number of new drop-downs and text boxes.

3. Click the Field to search drop-down to select a Node attribute to filter on. 4. Select Port Label configuration. 5. Click the Operator drop-down to select the operator to apply to the Value. In general, the Contains operator is the most useful. 6. Populate the Value to be matched against. 7. Click Apply to see the results of the filter. 8. Click Save As and type in a name for the filter.

This Managed Device Filter can now be used for filtering nodes with managed devices for display and access.

7.8 Editing an existing Managed Device Filter

To edit an existing Managed Device Filter, select Configure Nodes > Edit Managed Device Filters page.

Lighthouse 5.2 User Guide 52

• Click the X icon to delete an existing Managed Device Filter. • Click the edit icon to change a Managed Device Filter’s name.

To change the search parameters used by a Managed Device Filter:

1. Navigate to a page that displays Managed Device Filter, such as Manage > Managed Devices > Console Gateway. 2. Select the Managed Device Filter you wish to change from the Select Managed Device Filter drop-down menu. 3. Change the parameters (e.g. Operator values) as required. 4. Click Save as. 5. Leave the Managed Device Filter name unedited and click Apply. The modified Managed Device Filter overwrites the existing Managed Device Filter.

Lighthouse 5.2 User Guide 53

7.9 Connecting to a Node’s web-management interface

Once a node has been enrolled, its own web-management interface can be accessed from within the Lighthouse UI. To connect to an enrolled node’s web-management interface:

1. Select Manage > Nodes > Node Web UI. 2. In the Actions column, click the Access Web UI link for the node you wish to connect to. The web-based login for that node loads. 3. Authenticate using the username and password required by that node.

NOTE: At the bottom of the browser window is a visual indication that the console server session is being mediated through Lighthouse. This footer also contains a link allowing for a quick return to Lighthouse.

7.10 Connecting to a node’s serial ports via Console Gateway

Searching for serial ports on Lighthouse can be accomplished by selecting Manage > Managed Devices > Console Gateway and Manage > Managed Devices > Quick Search.

NOTE: Port-centric search allows filtering via the Managed Device Filters and displays a list of ports within enrolled nodes that match the search terms, while Node-centric search allows filtering via Smart Groups, and Node properties. Quick Search can be used to quickly filter on the managed device label.

Node-centric searching

1. Select Manage > Managed Devices > Console Gateway. 2. Find the console port you wish to access using the Smart Group Filtering options to restrict the listed nodes. 3. Click the + icon in the Access Console Ports row adjacent the node you wish to access.

Port-centric searching

1. Select Manage > Managed Devices > Console Gateway.

Lighthouse 5.2 User Guide 54

2. Find the console port you wish to access by using the Managed Device Filtering options to restrict the listed managed devices within enrolled nodes.

In both cases, once the particular serial port is located, serial port access via Console Gateway can be accomplished in two ways:

• HTML5 Web Terminal • SSH

Quick Search

1. Select Manage > Managed Devices > Quick Search. 2. Enter the managed device label, aka name, in the Quick Managed Device Search field. This search will live-update as you type. 3. Use Web Terminal and/or SSH links inside Actions on a particular port to access it.

7.10.1 Access via HTML5 Web Terminal

To provide easy console port access, Lighthouse includes a HTML5 Web Terminal. The HTML5 Web Terminal includes native cut, copy and paste support. The terminals available on nodes do not.

To access a console port via the Web Terminal:

1. Locate the port you wish to access using one of the search techniques discussed above. 2. Click the Web Terminal link for the particular port. A new tab opens containing the Web Terminal.

To close a terminal session, close the tab, or type ~. in the Web Terminal window.

7.10.2 Access via SSH

To access ports via SSH, the user can either use a console chooser menu to select the node and the console port or use a direct SSH link from the Web UI to connect directly to the port.

To access a console port via a Direct SSH link:

Lighthouse 5.2 User Guide 55

1. Locate the port you wish to access using one of the search techniques discussed above. 2. Click the SSH link to connect to the URL.

These auto-generated links use the colon (:) as the field-delimiter. The auto-generated SSH link has the following form: ssh://user-name:console-server-name:port-number@lighthouse-ip-address

Some web browsers associate the colon character with delimiting the protocol at the beginning of a URI so they don’t pass these auto-generated URIs correctly.

To work around this, the default delimiter character can be changed. To change this character:

Select Settings > Services > Console Gateway.

• Enter an alternative delimited character in the Console Gateway Port Delimiter text-entry field. The carat character — ^ — is the most common alternative delimiter for URIs being parsed by browsers. • Use the Console Gateway SSH Address drop down menu to choose an address from which to SSH. The list of available addresses contains the current network interfaces and external network addresses. The value defaults to net1:dhcp if it exists and net1:static otherwise. You can add additional external addresses to this list using the Settings > System> Administration page.

To use the console chooser menu, use SSH to connect to the Lighthouse appliance, with the username format username:serial. This will connect to the Lighthouse and present a list of nodes that the user has access to. Once the user selects a node, they are presented with a list of console ports they have access to. When one is selected, the user is connected to that port.

For faster access, there are username format shortcuts that give more specific lists of serial ports, or direct access without a menu.

• username:node_name When a valid node name is specified, a list of console ports that the user has access to on that node will be presented. If they do not have access to that node, the connection will fail. • username:node_name:port_name When a valid node name and port name are specified, and the user has access to that node and

Lighthouse 5.2 User Guide 56

port, the user will be directly connected to that port. If they do not have access to that port, the connection will fail. • username:port_name When a valid port name is specified, the user will be connected to first port with that port name found. If the user does not have access to that port, the connection will fail.

NOTE: Node names and port names are not case sensitive.

7.10.3 Example Console Gateway session

$ ssh adminuser:serial@lighthouse-name-or-ip-here

1: cm71xx

Connect to remote > 1

1: Cisco Console 2: Port 2

Connect to port > 1 router#

Lighthouse 5.2 User Guide 57

8. Lighthouse user management

Lighthouse 5.2.0 supports locally defined users, and remote users that are authenticated and authorized by AAA.

Users must be members of one or more groups. Each group has a role assigned to it, which determines the level of access that group members will have to the system. These roles are:

Role Description Lighthouse The Lighthouse Administrator role is assigned to groups whose members need to manage and Administrator maintain the Lighthouse appliance. Members have access to all data on the Lighthouse system The Node Administrator role is assigned to groups that need to manage and maintain a set of Nodes. Node Each group with the Node Administrator role also must have an associated Smart Group which is Administrator evaluated to define the set of nodes that the group members have access to. The Node User role is assigned to groups that need to access a set of Nodes. Each group with the Node User Node User role also must have an associated Smart Group which is evaluated to define the set of nodes that the group members have access to.

Group membership can either be defined locally for local users or defined on the AAA server. Groups that are assigned by the AAA servers must still exist locally.

8.1 Password fields in Lighthouse

All password fields in Lighthouse are write-only. They accept data from the clipboard or pasteboard but do not pass data out. Passwords that you don’t want to either type or retype, must be copied to your local clipboard or pasteboard outside Lighthouse. They can then be safely copied in to password fields in the Lighthouse user interface.

8.2 Creating new groups

To create a new group:

1. Select Settings > User Management > Groups. 2. Click +. The New Group dialog opens. 3. Enter a Group Name, Description, and select a Role for the group.

Lighthouse 5.2 User Guide 58

Group Name is case sensitive. It can contain numbers and some alphanumeric characters. When using remote authentication, characters from a user's remote groups that are not allowed on Lighthouse will be converted to underscores during the authentication stages. Local groups can be created that take that into account, allowing the authentication to continue.

If the Role selected is Lighthouse Administrator, members of the group will automatically be added to the All Nodes Linked Smart Group.

If the Role selected is Node Administrator or Node User, select a Smart Group to define the nodes that the group has access to.

1. Select Group Enabled checkbox to enable group. 2. Click Save Group.

NOTE: When a new group is given the Lighthouse Administrator role, members of the group will have access to the sudo command. Groups or users with the Lighthouse Administrator role are added to the admin group, which is in the list of allowed sudoers. On first boot of a new Lighthouse instance, the root user is the only member of the admin group and the only user with sudo access.

8.3 Modifying existing groups

To modify an existing group:

1. Select Settings > User Management > Groups. 2. Click Edit in the Actions section of the group to be modified and make desired changes. 3. Click Save Group.

Lighthouse 5.2 User Guide 59

The Modify Group dialog allows the group’s Description, Role, and Linked Smart Group to be set and changed.

If a Group’s Role is Lighthouse Administrator, the group’s Linked Smart Group is All Nodes and this cannot be changed. If a Group has a Linked Smart Group other than All Nodes, the group’s Role cannot be set to Lighthouse Administrator.

See Creating Smart Groups above for details regarding creating and using Smart Groups.

The Modify Group dialog also allows you to delete a group. All users who were members of the deleted group lose any access and administrative rights inherited from the group.

8.4 A note on default netgrp Lighthouse group The netgrp group is inherited as the primary group for all remote AAA users who are not defined locally on Lighthouse. By default, netgrp has the Lighthouse Administrator role and is disabled - it must be enabled to take effect for remote AAA users.

8.5 Creating new users

To create a new user:

Lighthouse 5.2 User Guide 60

1. Select Settings > User management > Local Users. If you have not yet created any users, the root user is the only user listed. 2. Click the + button. The New User dialog appears.

3. Enter a Username, Description, and Password. 4. Re-enter the Password in the Confirm Password field. 5. Select the Enabled checkbox. 6. Click Apply.

To create a new user without password which causes them to fail back to remote authentication:

1. Select Settings > User management > Remote Authentication 2. Apply Remote Authentication Settings. 3. Select Settings > User management > Local Users 4. Click the + button. The New User dialog loads. 5. Enter a Username, Description. 6. Select the Remote Password Only checkbox. 7. Select the Enabled checkbox. 8. Click Apply.

NOTE: When a new user is created, an entry is added to the syslog, indicating the new user's name, the user that performed the operation, and the time that it occurred:

2018-04-03T12:42:48.587744+00:00 lighthouse configurator_users[28915]: User added to passwords file 2018-04-03T12:42:48.710530+00:00 lighthouse og-rest-api: User created by

If the created user is set to disabled, the configurator_users message will not appear as they have not been added to the passwords file.

Lighthouse 5.2 User Guide 61

You can view the syslog from within Lighthouse by clicking Help > Technical Support Report.

8.6 Modifying existing users

To modify an existing user:

1. Select Settings > User management > Local Users 2. Click Edit in the Actions section of the user to be modified and make desired changes. 3. Click Save User.

The Modify Users dialog allows the user’s Description to be changed and the user’s Password to be reset. The username cannot be changed. To disable a user, uncheck the Enabled checkbox.

Disabled users cannot login to Lighthouse using either the Web-based interface or via shell-based logins (i.e. sshusername-you-disabled@lighthouse-name-or-ip). The user and the /home/username-you-disabled directory still exist in the Lighthouse VM file system.

8.7 Deleting users

To delete a user:

1. Select Settings > User management > Local Users 2. Click Delete in the Actions section of the user to be modified. 3. Click Yes in the Confirmation dialog.

Lighthouse 5.2 User Guide 62

8.8 Disabling a Lighthouse root user

To disable a root user:

1. Make sure that another user exists that is in a group that has the Lighthouse Administrator role. 2. Select Settings > User management > Local Users 3. Click Disable in the Actions section of the root user. 4. Click Yes in the Confirmation dialog.

To enable root user back log in with another user exists that is in a group that has the Lighthouse Administrator role and click Enable in the Actions section of the root user.

8.9 Configuring AAA

Lighthouse supports three AAA systems:

• LDAP (Active Directory and OpenLDAP) • RADIUS • TACACS+

Authentication works much the same with each, but group membership retrieval varies. The following sections detail the configuration settings for each provider and explain how group membership retrieval works.

To begin, select Settings > User Management > Remote Authentication.

8.9.1 LDAP Configuration

1. Select LDAP from the Scheme drop-down box.

Lighthouse 5.2 User Guide 63

2. Add the Address and optionally the Port of the LDAP server to query. 3. Add the Base DN that corresponds to the LDAP system being queried.

For example, if a user’s distinguished name is cn=John Doe,dc=Users,dc=ACME,dc=com, the Base DN is dc=ACME,dc=com

4. Add the Bind DN. This is the distinguished name of a user with privileges on the LDAP system to perform the lookups required for retrieving the username of the users, and a list of the groups they are members of. 5. Add the password for the binding user. 6. Add the Username Attribute. This depends on the underlying LDAP system. Use sAMAccountName for Active Directory systems, and uid for OpenLDAP based systems. 7. Add the Group Membership Attribute. This is only needed for Active Directory and is generally memberOf.

NOTE: Multiple servers can be added. The LDAP subsystem will query them in a round-robin fashion.

8.9.2 RADIUS configuration

To configure RADIUS:

1. Select Settings > User Management > Remote Authentication.

2. In the Settings section, select RADIUS from the Scheme drop-down menu. 3. Add the Address and optionally the Port of the RADIUS authentication server to query. 4. Add the Address and optionally the Port of the RADIUS accounting server to send accounting information to. 5. Add the Server password (Also known as the RADIUS Secret).

NOTE: Multiple servers can be added. The RADIUS subsystem will query them in a round-robin fashion.

Lighthouse 5.2 User Guide 64

To provide group membership, RADIUS needs to be configured to provide a list of group names via the Framed-Filter-Id attribute. The following configuration snippet shows how this can be configured for FreeRADIUS:

operator1 Auth-Type := System Framed-Filter-ID = ":group_name=west_coast_admin,east_coast_user:"

NOTE: The Framed-Filter-ID attribute must be delimited by the colon character.

8.9.3 TACACS+ configuration

To configure TACACS+:

1. Select Settings > User Management > Remote Authentication.

2. Select TACACS+ from the Scheme drop-down menu. 3. Add the Address and optionally the Port of the TACACS+ authentication server to query. 4. Select the Login Method. PAP is the default method. However, if the server uses DES-encrypted passwords, select Login. 5. Add the Server password, also known as the TACACS+ Secret. 6. Add the Service. This determines the set of attributes sent back by the TACACS+ server

NOTE: Multiple servers can be added. The TACACS+ subsystem will query them in a round-robin fashion.

To provide group membership, TACACS+ needs to be configured to provide a list of group names This following configuration snippet shows how this can be configured for a tac_plus server: user = operator1 { service = raccess { groupname = west_coast_admin,east_cost_user } }

Lighthouse 5.2 User Guide 65

To do this with Cisco ACS, see Setting up permissions with Cisco ACS 5 and TACACS+ on the Opengear Help Desk.

Lighthouse 5.2 User Guide 66

9. Lighthouse central configuration

Templates are a centralized way of changing the configuration for enrolled Opengear console server nodes by pushing pre-defined configuration templates to selected nodes. Lighthouse 5.2.0 supports the creation and execution of Group, Authentication and Script templates.

9.1 Creating new group templates

Only users assigned to the Lighthouse Administrator role can access Configure Nodes > Configuration Templating > Group Templates and create templates.

A group template contains a list of groups that are set as the list of user-defined groups on the node. Each group has a defined role which determines what privileges group members will have.

The available roles are:

• Node Administrator — maps to the administrator role on the nodes. • Node User — maps to the all ports user role and the pmshell role on the nodes.

To create a new group template:

1. Select Configure Nodes > Configuration Templating > Group Templates. 2. Click the + button. The New Group Template dialog loads.

3. Enter a Name and Description for a template in the Template Details section. 4. Click the + button in the Set Group List section to add a new group. The Group Details dialog loads. 5. Enter a Group Name, a Description, and select a Role for the group. 6. Click Apply. 7. Click Save Template.

NOTE: When a group template is pushed to a node, all custom groups on that node are replaced by the groups defined in the template’s group list.

Lighthouse 5.2 User Guide 67

9.2 Modifying existing group templates

The Edit Group Template dialog allows a template’s Description and Group List to be set and changed.

To modify an existing group template:

1. Select Configure Nodes > Configuration Templating > Group Templates.

2. Click Edit in the Actions section of the template to be modified. The Edit Group Template dialog appears.

3. Make changes as required. 4. Click Save Template.

9.3 Deleting group templates

To delete a group template:

Lighthouse 5.2 User Guide 68

1. Select Configure Nodes > Configuration Templating > Group Templates. 2. Click Delete in the Actions section of the template to be removed. The Confirmation alert box appears.

3. Click Yes in the Confirmation dialog. The group template is deleted.

9.4 Creating new authentication templates

Only users assigned to the Lighthouse Administrator role can access Configure Nodes > Configuration Templating > Authentication Templates and create authentication templates.

The supported modes are Local, Radius, TACACS+, and LDAP. For example, if an authentication template is configured to use RADIUS as an authentication source, that corresponds to RADIUSDownLocal with Use Remote Groups ticked on the downstream node.

To create a new authentication template:

1. Select Configure Nodes > Configuration Templating > Authentication Templates. 2. Click the + button. The New Authentication Template dialog loads.

3. Enter a Name and Description for a template in the Template Details section. 4. Select a desired Scheme or click Pre-populate to pre-populate a template with the current Lighthouse remote authentication configuration. 5. Enter or update authentication settings if required. See Configuring AAA above for an example.

Lighthouse 5.2 User Guide 69

6. Click Save Template.

NOTE: When an authentication template is pushed to a node, the authentication settings at that node are replaced by the those defined in the authentication template.

NOTE: The authentication templates do not currently support the full list of settings that the Opengear console servers support. However, templates can be applied, and then additional settings configured manually.

9.5 Modifying existing authentication templates

The Edit Authentication Template dialog allows the template’s Description and Authentication Settings to be set and changed.

To modify an existing authentication template:

1. Select Configure Nodes > Configuration Templating > Authentication Templates.

2. Click Edit in the Actions section of the template to be modified. The Edit Authentication Template dialog appears.

Lighthouse 5.2 User Guide 70

5. Make required changes. 6. Click Save Template.

9.6 Deleting authentication templates To delete an authentication template:

1. Select Configure Nodes > Configuration Templating > Authentication Templates. 2. Click Delete in the Actions section of the template to be removed. The Confirmation alert box appears.

3. Click Yes in the Confirmation dialog. The authentication template is deleted.

9.7 Creating new script templates

Only users assigned to the Lighthouse Administrator role can access Configure Nodes > Configuration Templating > Script Templates and create script templates.

Lighthouse 5.2 User Guide 71

Script Templates allow the user to upload arbitrary shell scripts to be run on a node. A script may set additional configuration settings not available in other templates or store additional files onto the node such as certificates, for example. The uploaded script must have a .sh extension and can’t be more than 1MB in size. Other than those, there are no other restrictions on the script file to be uploaded. Once saved, the template will store the size and SHA1 checksum of the script. This can be used to verify the script contents of the template once saved. To apply script templates, the selected nodes need to be running firmware version 4.1.1 or later.

To create a new script template:

1. Select Configure Nodes > Configuration Templating > Script Templates. 2. Click the + button. The New Script Template dialog loads.

3. Enter a Name and Description for a template in the Template Details section. 4. To select a script to upload, click Choose file. 5. Click Save Template. Script checksum and Script size are shown after template with uploaded script is saved.

9.8 Modifying existing script templates

The Edit Script Template dialog allows the template’s Description, Script timeout, and Script File to be uploaded. To modify an existing script template:

1. Select Configure Nodes > Configuration Templating > Script Templates.

Lighthouse 5.2 User Guide 72

2. Click Edit in the Actions section of the template to be modified. The Edit Script Template dialog appears.

3. Make required changes. 4. Click Save Template.

9.9 Deleting script templates To delete a script template completely:

1. Select Configure Nodes > Configuration Templating > Script Templates. 2. Click Delete in the Actions section of the template to be removed. The Confirmation alert box appears.

Lighthouse 5.2 User Guide 73

3. Click Yes in the Confirmation dialog. The script template is deleted.

9.10 Apply Templates

Users with Lighthouse Administrator privileges (i.e. users with the Lighthouse Administrator role or users who are members of groups with the Lighthouse Administrator role) can access Configure Nodes > Configuration Templating > Apply Templates and execute templates affecting any node.

Users with Node Administrator privileges (i.e. users with the Node Administrator role or users who are members of groups with the Node Administrator role) can access Configure Nodes > Configuration Templating > Apply Templates and execute templates affecting nodes in Smart Groups linked to their role.

Apply Templates consists of four stages, each one a step in the overall wizard. The steps are:

1. Select Template. 2. Select Nodes. 3. Preflight. This is a test run, simulating what happens if the template is pushed to the selected nodes. 4. Execution.

To apply a template:

1. Select Configure Nodes > Configuration Templating > Apply Templates.

2. Select a template from the existing template tree. Template Details populates with details from the selected template.

Lighthouse 5.2 User Guide 74

3. Click Next — Select Nodes. The Select Nodes stage loads.

4. Select nodes from the list of enrolled nodes. You can use the Smart Group Filtering and Free Text Search Filtering to narrow down the results.

The screenshot above shows filtering being used to set the list of enrolled nodes to match the set of nodes an administrator wishes to deal with.

NOTE: Third-party nodes are not supported for template execution.

5. Click Next — Preflight. The Preflight stage loads. This stage requires manual refresh to retrieve updated Preflight Result and Details.

After all nodes finish preflight, a success message appears and Next — Push Configuration becomes active.

Lighthouse 5.2 User Guide 75

6. Select desired nodes for template execution and click Next — Push Configuration. The Configuration Status stage loads. This stage requires manual refresh to retrieve updated Push Result and Details.

After all nodes finish the template push a success message appears.

Lighthouse 5.2 User Guide 76

10. Command line tools

Lighthouse 5.2.0 includes a web-based terminal. To access this bash shell instance:

1. Select Manage > Lighthouse > Local Terminal.

2. At the presented login prompt, enter an administrator’s username and press Return. 3. A password: prompt appears. Enter the administrator’s password and press Return. 4. A bash shell prompt appears.

This shell supports most standard bash commands and also supports copy-and-paste to and from the terminal.

Lighthouse-specific shell-based tools are listed below.

10.1 node-command

The node-command tool is used to run commands on managed console servers, allowing administrators to easily run a single CLI command in bulk, on all or on a range of their console server deployment.

To run node commands, you must be authorized as an admin group user.

You can get an overview of the tool from the command line: node-command --help

See a list of all the registered console servers that the tool can operate on: node-command --list-nodes

Example node-command Output

Lighthouse 5.2 User Guide 77

== node-command ID 2017-05-19T14:08:33.360164_29534 == 14:08:33 [SUCCESS] BNE-R01-ACM7004-5 192.168.128.2:22 OpenGear/ACM7004-5 Lighthouse 3b90d826 -- Tue May 9 13:42:16 EST 2017

14:08:33 [SUCCESS] BNE-R02-IM7216 192.168.128.3:22 OpenGear/IM72xx Lighthouse 3b90d826 -- Tue Jul 5 13:42:16 EST 20167

10.2 node-info node-info is a shell-based tool for pulling more detailed information from console servers.

Example node-info output

$ node-info -A BNE-R01-ACM7004-5 address: 192.168.128.2 id: nodes-1 ssh port: 22 description: Brisbane Rack 1 enrollment status: Enrolled connection status: Connected BNE-R02-IM7216 address: 192.168.128.3 id: nodes-2 ssh port: 22 description: Brisbane Rack 2 enrollment status: Enrolled connection status: Connected

10.3 node-upgrade node-upgrade is a tool for running bulk firmware upgrades on managed console servers.

By passing in required information — such as the firmware version to upgrade to, the location of the firmware image to upgrade with, and the nodes to upgrade — via appropriate flags, node-upgrade can upgrade the firmware on multiple console servers and report results back to STD OUT with a single command. node-upgrade accepts twelve flags as follows:

-h -–help Display this message -q -–quiet Suppress command output -b --batch Suppress node-command output -l --list-nodes List all nodes matching query, or all nodes if none selected -i --node-id=ID Select node by config ID -n --node-name=name Select node by name -a --node-address=address Select node by VPN address -g --smartgroup=name Select nodes by the smart group they resolve to -A --all Select all available nodes -f --firmware-dir The directory of the firmware file(s).

Lighthouse 5.2 User Guide 78

-v --version The firmware version to upgrade to. -z --ignore-version Ignore firmware version warnings for upgrade.

An example node-upgrade run

The following is an example node-upgrade command. It sets /mnt/nvram/ as the directory node- upgrade looks to for the firmware image used as the source for all the firmware upgrade attempts. Every console server being managed from the active Lighthouse instance is targeted for an upgrade and the target console servers are set to upgrade to firmware 4.0.0.

# node-upgrade -A -f /mnt/nvram -v 4.1.0

When run, node-upgrade returns information to STD OUT, such as the following:

Upgrading firmware for device family: ACM550X Upgrading firmware for device family: CM71XX Upgrading firmware for device family: CM7196 Upgrading firmware for device family: ACM7004-5 Upgrading firmware for device family: IM72XX im7208: flashing firmware file: im72xx-4.1.0.flash [FAILURE] acm5508: not upgraded to OpenGear/ACM5508-2 version 4.1.0. Reason for failure: No firmware available for ACM550X device family. [FAILURE] cm7148: not upgraded to OpenGear/CM7148-2-DAC version 4.1.0. Reason for failure: netflash failed due to the same firmware currently on the device. [FAILURE] cm7196: not upgraded to OpenGear/CM7196A-2-DAC version 4.1.0. Reason for failure: netflash failed due to the same firmware currently on the device. [FAILURE] acm7004: not upgraded to OpenGear/ACM7004-5-LMR version 4.1.0. Reason for failure: netflash failed due to the same firmware currently on the device. [SUCCESS] im7208: upgraded to OpenGear/IM7208-2-DAC-LR version 4.1.0. node-upgrade also returns status codes 0 (success) or 1 (failure) when particular conditions are met.

Exit code 0 (success) is returned under the following conditions:

• Success • Successful upgrade of all nodes. • No nodes selected for upgrade. • No firmware found in nominated directory.

Exit code 1 (failure) is returned under the following conditions:

• Missing or invalid command line options. • The current user is not authorized to execute commands on a node. • The specified firmware directory was invalid (i.e. because it does not exist or is not readable). • At least one node upgrade failed.

Lighthouse 5.2 User Guide 79

10.4 ogadduser ogadduser is a shell-based tool for creating users.

Basic ogadduser usage syntax is as follows:

$ ogadduser -u testuser -p mypassword -g admin

NOTE: When a new user is created via ogadduser, an entry is added to the syslog.

10.5 ogconfig-cli ogconfig-cli allows users to inspect and modify the configuration tree from the command line. It is inherently transactional in nature, allowing users to ensure their configuration is correct before pushing it to the configuration server.

As the root user, start the tool with: ogconfig-cli

10.5.1 Commands to try from within the ogconfig-cli tool

• help • get . • print . 2 • print users[0].username • find users enabled false

10.5.2 Config searches uses ogconfig-cli

You can perform simple config searches from inside ogconfig-cli with the find command.

NOTE: The element being searched must be a list, otherwise the command will return an error.

The syntax is: find

For example, to find enabled users use: ogcfg > find users enabled true

Or to find the enabled ports on a particular node set: ogcfg> find nodes[0].ports mode 'ConsoleServer'

Lighthouse 5.2 User Guide 80

10.5.3 Changing a configuration from within ogconfig-cli

From inside ogconfig-cli: ogcfg> set system.hostname "opengear-lighthouse-new" ogcfg> push ogcfg> quit

To see that the change has taken effect:

$ cat /etc/hostname

A configuration change doesn’t take effect until it is pushed to the configuration server. For example, from inside ogconfig-cli: ogcfg> set system.hostname "opengear-lighthouse-new-again" ogcfg> print system.hostname ogcfg> quit

To verify that the change did not yet take effect:

$ cat /etc/hostname

10.5.4 Configuration validation from within ogconfig-cli

Configuration is internally validated before being applied so that an incorrect configuration cannot be accidentally set. For example, from inside ogconfig-cli, setting an invalid ethernet link speed is rejected: ogcfg> set system.net.physifs[0].ethernet.link_speed "1GB" ogcfg> push Commit failed Messages: String is not in the list of allowed values Push command failed ogcfg> quit

10.5.5 Support for mounting the hard disks with ogconfig-cli

Extra hard disks can be mounted in the Lighthouse VM by adding them to the configuration. Each new disk needs to have a partition created and formatted. Partitions can be created using fdisk or cfdisk, and should be formatted using the ext4 filesystem, using the mkfs.ext4 command: root@lighthouse:~# mkfs.ext4 /dev/sdb1

You must also create the directory in which to mount the filesystem. In general, new filesystems should be mounted in the provided mountpoint of /mnt/aux. Any other filesystems should be mounted within the filesystem mounted here.

Lighthouse 5.2 User Guide 81

Add the information to the configuration system using ogconfig-cli as follows, modifying the path for your specific situation. ogcfg> var m !append system.mountpoints map {8435270-fb39-11e7-8fcf-4fa11570959}: Map <> ogcfg> set {m}.node "/dev/sdb1" {b8c37c6-fb39-11e7-971c-23517b19319}: String ogcfg> set {m}.path "/mnt/aux" {1fb50d8-fb39-11e7-994c-0f10b09cbd4}: String ogcfg> push OK

10.6 oglicdump oglicdump is a shell-based tool for displaying and saving the current third-party licensing status of a Lighthouse instance.

When used without a switch, oglicdump writes the current status to STD OUT.

To write this status out to a file, or in machine readable form, or as a raw license container string, or to write out a sub-set of the licensing information (such as licenses for a given SKU), use one of the switches oglicdump supports:

-h Displays this help. -v Display version information -o File to write out to. Default is stdout. -s Specific SKU code to dump out. Default is all SKU codes. -f Specific feature value to dump out. This is only valid in conjunction with -s. -c Output contacts only. This is only valid in conjunction with -s. -m Output machine readable, as in compact formatted. -r Output the raw license container strings from config.

10.7 cron

Cron service can be used for scheduled cron jobs runs. Daemon can be managed via the /etc/init.d/crond interface, and cron tables managed via crontab. Crontab supports:

Usage: crontab [options] file crontab [options] crontab -n [hostname]

Options: -u define user -e edit user's crontab -l list user's crontab -r delete user's crontab

Lighthouse 5.2 User Guide 82

-i prompt before deleting -n set host in cluster to run users' crontabs -c get host in cluster to run users' crontabs -x enable debugging

To perform start/stop/restart on crond service:

/etc/init.d/crond start

Cron doesn't need to be restarted when crontab file is modified, it will examine the modification time on all crontabs and reload those which have changed.

To verify the current crond status:

/etc/init.d/crond status

To check current cron jobs running with the following command to list all crontabs: crontab -l

To edit or create a custom crontab file: crontab -e

This will open a personal cron configuration file. Each line can be defined as one command to run. The following format is used: minute hour day-of-month month day-of-week command

For example, append the following entry to run a script every day at 3am:

0 3 * * * /etc/config/backup.sh

Save and close the file.

10.8 sysflash sysflash is the shell-based tool for upgrading a Lighthouse instance’s system.

Basic syntax is as follows: # sysflash [flags] [path/to/system-image.lg_upg | Percent-encoded URL to firmware-image.lg_upg]

Image filenames cannot include spaces. And, as the syntax example above notes, URLs must be Percent- encoded. sysflash includes eight flags which modify the standard upgrade behavior as well as the -h or --help flag, which returns all the available flags and their effects:

Lighthouse 5.2 User Guide 83

-b, --board-name Override board name (currently lighthouse-vm) -B, --board-revision Override board revision (currently 1.0) -V, --vendor Override vendor (currently opengear) -I, --no-version-check Do not check software version for upgradability -m, --no-migration Do not migrate current config. Start fresh. -v, --verbose Increase verbosity (may repeat) -o, --no-boot-once Do not modify bootloader (implies --no-reboot) -r, --no-reboot Do not reboot after upgrading -h, --help Print this help

10.9 Selecting nodes using shell-based tools

There are a number of ways to select nodes (also known as console servers) as targets on which to run a command. These can be used multiple times, or together, to select a range of console servers:

Select individually by name, address, Lighthouse VPN address, config index or smart group (as per --list- nodes output): node-command --node-name BNE-R01-IM4248 node-command --node-address 192.168.0.33 node-command --node-index nodes-1 node-command --smartgroup="model-acm"

10.9.1 Select all nodes node-command --all

10.9.2 Running commands on selected nodes

Once nodes are selected, the commands to be run for each can be given. These are run on each managed node, in parallel. Any command you can run from a node shell can be run on each managed node.

NOTE: All commands are run as root.

For example, to check the version on two specific, configured nodes, selecting one by name and the other by index, run the following command: node-command --node-name BNE-R01-ACM7004-5 --node-index nodes-2 cat /etc/version

NOTE: When using non-trivial selection arguments, check which target nodes have been selected on your initial command pass by using the --list-nodes switch rather than the final command.

Lighthouse 5.2 User Guide 84

11. System upgrades

A Lighthouse appliance’s system can be upgraded using a .lh_upg image file.

Once the upgrade is complete, the Lighthouse instance reboots. It is unavailable during the reboot process.

11.1 Upgrading the system from within Lighthouse

To upgrade a Lighthouse instance’s system using the Lighthouse UI:

1. Select Settings > System > System Upgrade. 2. Select the Upgrade Method, either Fetch image from HTTP/HTTPS Server or Upload Image.

If upgrading via Fetch image from HTTP/HTTPS Server:

1. Enter the URL for the system image in the Image URL text-entry field. 2. Click Perform Upgrade.

Or if upgrading via Upload Image:

1. Click the Choose file button. 2. Navigate to the directory containing the system-upgrade-image.lh_upg file. 3. Select the system-upgrade-image.lh_upg file and press Return. 4. Click Perform Upgrade.

NOTE: The Advanced Options section, which expands to present an Upgrade Options text-entry field, should only be used if a system upgrade is being performed as part of an Opengear Support call. If a specific option is required, the Opengear Support technician will specify it.

Once the upgrade has started, the System Upgrade page displays feedback as to the state of the process.

A system upgrade attempt will return the error System version was not higher than the current version if the selected image file is not, in fact, a more recent version than that already installed.

Lighthouse 5.2 User Guide 85

11.2 Upgrading the Lighthouse system via the Local Terminal

Lighthouse includes a shell-based tool — sysflash — that allows a user with administrative privileges to upgrade the instance’s system from the Local Terminal.

To upgrade Lighthouse instance’s system using the Lighthouse Local Terminal:

1. Select Manage > Lighthouse > Local Terminal. 2. At the [hostname] login: prompt, enter an administrator username and press Return. 3. At the Password: prompt, enter the administrator’s password and press Return. 4. To use sysflash in conjunction with a .lh_upg file available via an HTTP or HTTP server:

At the Local Terminal bash shell prompt, enter a URL. It must be URL-encoded:

sysflash http[s]%3A%2F%2Fdomain.tld%2Fpath%2Fto%2Ffirmware-upgrade- image.lh_upg

5. Press Return.

To use sysflash in conjunction with a .lh_upg file available via the local file system:

1. At the Local Terminal bash shell prompt enter:

sysflash /path/to/system-upgrade-image.lh_upg.

2. Press Return.

NOTE: sysflash includes several flags that allow for variations in the standard system upgrade process. These flags should not be used unless directed to do so by Opengear Support.

Flags are listed by running either of the following at a Local Terminal bash shell prompt:

• sysflash -h or • sysflash --help • The same listing is presented in the sysflash entry of the Command line tools chapter above.

Lighthouse 5.2 User Guide 86

12. Troubleshooting

12.1 Finding the current Lighthouse instance version

12.1.1 Using the web UI

1. Click System on the top right of the Lighthouse instance’s web UI. 2. The Details menu appears, listing the Lighthouse instance’s Current version, REST API version, Hostname, and Current user.

12.1.2 Via the local Lighthouse shell

1. Click Manage > Lighthouse > Local Terminal 2. At the [hostname] login: prompt, enter an administrator username and press Return. 3. At the Password: prompt, enter the administrator’s password and press Return. 4. At the bash shell prompt, enter cat /etc/version and press Return.

The current Lighthouse instance’s version is returned to STD OUT. For example:

[administrator-username]@[hostname]:~# cat /etc/version 5.2.0

NOTE: The procedure above uses the Web UI to reach the Lighthouse Local Terminal. This is not the only way to reach the Lighthouse shell and cat /etc/version works in any circumstance where an administrator has access to the Lighthouse shell. For example, many of the Virtual Machine Manager applications that can run a Lighthouse instance offer virtual console access. If this is available and an administrator logs in to the Lighthouse shell via this console, the command string will work as expected.

12.1.3 Other information sources related to a Lighthouse instance’s version

Two other command strings can be useful when specifics about a particular Lighthouse instance are needed.

Lighthouse 5.2 User Guide 87

Both these commands can be run by an administrator with access to a running Lighthouse instance’s bash shell.

First is cat /etc/sw*. This command concatenates the following four files to STD OUT:

/etc/sw_product /etc/sw_variant /etc/sw_vendor /etc/sw_version

For example:

# cat /etc/sw* ironman release opengear 5.2.0

Second is cat /etc/issue. /etc/issue is a standard *nix text file which contains system information for presenting before the system’s login prompt. On a Lighthouse instance, etc/issue contains the vendor, and the Ironman/Lighthouse version

# cat /etc/issue Opengear Ironman 5.2.0 \n \l

12.2 Technical support reports

Lighthouse 5.2.0 can generate a technical support report that includes Lighthouse configuration information and the current system log for the Lighthouse VM.

If you contact Opengear Technical Support, the support technician may ask for this report.

12.2.1 Generate a support report via the Lighthouse interface

To generate a complete configuration and status report regarding a given Lighthouse VM:

1. Select Help > Technical Support Report.

Lighthouse generates this support report on demand and the report includes the current system log. This process can take several minutes.

Lighthouse 5.2 User Guide 88

2. Click Download support report.

This downloads a PKZip archive to your local system. The archive’s filename is structured as follows: support-[host-name]-[iso-8601-order-date-and-time-stamp].zip

It contains two files:

§ system.txt — the configuration information also presented in the Technical Support Report window. § messages — the current Lighthouse VM system log.

The two files are also presented in the Support Report text box below the Download support report link. Because the report includes the current system log, this will almost certainly be a long but scrollable presentation. This presentation is, however, searchable using your web browser’s built-in search function.

12.2.2 Generate a support report via the local terminal

To generate a complete configuration and status report regarding a given Lighthouse VM:

1. Select Manage > Lighthouse > Local Terminal. 2. At the [hostname] login: prompt, enter an administrator username and press Return. 3. At the password: prompt, enter the administrator’s password and press Return. 4. At the bash shell prompt, enter

support-report -z > /tmp/support.zip

and press Return

NOTE: This is the recommended way of running the support-report command. The -z switch generates the same combined file produced by the Download support report link noted in the Lighthouse UI-specific procedure above. And the redirect saves this generated PKZip file to /tmp/support.zip for retrieval at your convenience.

12.3 Returning a Lighthouse instance to factory settings

To return an enrolled console server to its factory settings using Lighthouse:

Lighthouse 5.2 User Guide 89

1. Login to the Lighthouse web-based interface as root. Other users, even those with full administrative privileges, do not have the permissions required to reset the Lighthouse VM to its factory settings. 2. Select Settings > System > Factory Reset.

3. Select the Proceed with the factory reset checkbox. 4. Click Reset.

Alternatively, running the following shell script as root performs a full factory reset:

/usr/bin/factory_reset

This script prompts for confirmation before performing the factory reset. The factory reset procedure and the shell script are equivalent to logging in to a console server’s web-based management interface (see Connecting to a console server’s web-management interface above) and doing the following:

1. Select Administration 2. Check the Config Erase checkbox. 3. Click Apply.

NOTE: Returning a console server to its factory settings in this fashion does not un-enroll the server from the Lighthouse VM.

NOTE: You can download the latest User Manual from the Opengear documentation page at opengear.com/support/documentation. It can be easily accessed by Help > User Manual link in the top bar menu.

Lighthouse 5.2 User Guide 90

13. Technical support

Purchaser is entitled to twelve (12) months free telephone support and free e-mail support (worldwide) from date of purchase provided that the Purchaser first register their product(s) with Opengear by filling in the on-line form at opengear.com/product-registration.

Direct telephone, help-desk and e-mail support is available from 09:00 to 20:00, US Eastern Time (UTC -5 or UTC -4). Other support options are at opengear.com/support.html.

Opengear’s standard warranty includes free access to Opengear’s Knowledge Base as well as any application notes, white papers and other on-line resources that may become available from time to time.

Opengear reserves the right to stop support for products no longer covered by warranty.

Lighthouse 5.2 User Guide 91

14. End-user license agreements

14.1 Opengear end-user license agreement

READ BEFORE USING THE ACCOMPANYING SOFTWARE

YOU SHOULD CAREFULLY READ THE FOLLOWING TERMS AND CONDITIONS BEFORE USING THE ACCOMPANYING SOFTWARE, THE USE OF WHICH IS LICENSED FOR USE ONLY AS SET FORTH BELOW. IF YOU DO NOT AGREE TO THE TERMS AND CONDITIONS OF THIS AGREEMENT, DO NOT USE THE SOFTWARE. IF YOU USE ANY PART OF THE SOFTWARE, SUCH USE WILL INDICATE THAT YOU ACCEPT THESE TERMS.

You have acquired a product that includes Opengear (“Opengear”) proprietary software and/or proprietary software licensed to Opengear. This Opengear End User License Agreement (“EULA”) is a legal agreement between you (either an individual or a single entity) and Opengear for the installed software product of Opengear origin, as well as associated media, printed materials, and “online” or electronic documentation (“Software”). By installing, copying, downloading, accessing, or otherwise using the Software, you agree to be bound by the terms of this EULA. If you do not agree to the terms of this EULA, Opengear is not willing to license the Software to you. In such event, do not use or install the Software. If you have purchased the Software, promptly return the Software and all accompanying materials with proof of purchase for a refund.

Products with separate end user license agreements that may be provided along with the Software are licensed to you under the terms of those separate end user license agreements.

LICENSE GRANT. Subject to the terms and conditions of this EULA, Opengear grants you a nonexclusive right and license to install and use the Software on a single CPU, provided that, (1) you may not rent, lease, sell, sublicense or lend the Software; (2) you may not reverse engineer, decompile, disassemble or modify the Software, except and only to the extent that such activity is expressly permitted by applicable law notwithstanding this limitation; and (3) you may not transfer rights under this EULA unless such transfer is part of a permanent sale or transfer of the Product, you transfer at the same time all copies of the Software to the same party or destroy such materials not transferred, and the recipient agrees to this EULA.

No license is granted in any of the Software’s proprietary source code. This license does not grant you any rights to patents, copyright, trade secrets, trademarks or any other rights with respect to the Software.

You may make a reasonable number of copies of the electronic documentation accompanying the Software for each Software license you acquire, provided that, you must reproduce and include all copyright notices and any other proprietary rights notices appearing on the electronic documentation. Opengear reserves all rights not expressly granted herein.

INTELLECTUAL PROPERTY RIGHTS. The Software is protected by copyright laws, international copyright treaties, and other intellectual property laws and treaties. Opengear and its suppliers retain all ownership of, and intellectual property rights in (including copyright), the Software components and all copies thereof, provided however, that (1) certain components of the Software, including SDT Connector, are components licensed under the GNU General Public License Version 2, which Opengear supports, and (2) the SDT Connector includes code from JSch, a pure Java implementation of SSH2 which is licensed under BSD style license. Copies of these licenses are detailed below and Opengear will provide source code for any of the components of the Software licensed under the GNU General Public License upon request.

Lighthouse 5.2 User Guide 92

EXPORT RESTRICTIONS. You agree that you will not export or re-export the Software, any part thereof, or any process or service that is the direct product of the Software in violation of any applicable laws or regulations of the United States or the country in which you obtained them.

U.S. GOVERNMENT RESTRICTED RIGHTS. The Software and related documentation are provided with Restricted Rights. Use, duplication, or disclosure by the Government is subject to restrictions set forth in subparagraph (c) (1) (ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227- 7013 or subparagraphs (c) (1) and (2) of the Commercial Computer Software – Restricted Rights at 48 C.F.R. 52.227-19, as applicable, or any successor regulations.

TERM AND TERMINATION. This EULA is effective until terminated. The EULA terminates immediately if you fail to comply with any term or condition. In such an event, you must destroy all copies of the Software. You may also terminate this EULA at any time by destroying the Software.

GOVERNING LAW AND ATTORNEY’S FEES. This EULA is governed by the laws of the State of Utah, USA, excluding its conflict of law rules. You agree that the United Nations Convention on Contracts for the International Sale of Goods is hereby excluded in its entirety and does not apply to this EULA. If you acquired this Software in a country outside of the United States, that country’s laws may apply. In any action or suit to enforce any right or remedy under this EULA or to interpret any provision of this EULA, the prevailing party will be entitled to recover its costs, including reasonable attorneys’ fees.

ENTIRE AGREEMENT. This EULA constitutes the entire agreement between you and Opengear with respect to the Software, and supersedes all other agreements or representations, whether written or oral. The terms of this EULA can only be modified by express written consent of both parties. If any part of this EULA is held to be unenforceable as written, it will be enforced to the maximum extent allowed by applicable law, and will not affect the enforceability of any other part.

Should you have any questions concerning this EULA, or if you desire to contact Opengear for any reason, please contact the Opengear representative serving your company.

THE FOLLOWING DISCLAIMER OF WARRANTY AND LIMITATION OF LIABILITY IS INCORPORATED INTO THIS EULA BY REFERENCE. THE SOFTWARE IS NOT FAULT TOLERANT. YOU HAVE INDEPENDENTLY DETERMINED HOW TO USE THE SOFTWARE IN THE DEVICE, AND OPENGEAR HAS RELIED UPON YOU TO CONDUCT SUFFICIENT TESTING TO DETERMINE THAT THE SOFTWARE IS SUITABLE FOR SUCH USE.

LIMITED WARRANTY Opengear warrants the media containing the Software for a period of ninety (90) days from the date of original purchase from Opengear or its authorized retailer. Proof of date of purchase will be required. Any updates to the Software provided by Opengear (which may be provided by Opengear at its sole discretion) shall be governed by the terms of this EULA. In the event the product fails to perform as warranted, Opengear’s sole obligation shall be, at Opengear’s discretion, to refund the purchase price paid by you for the Software on the defective media, or to replace the Software on new media. Opengear makes no warranty or representation that its Software will meet your requirements, will work in combination with any hardware or application software products provided by third parties, that the operation of the software products will be uninterrupted or error free, or that all defects in the Software will be corrected.

OPENGEAR DISCLAIMS ANY AND ALL OTHER WARRANTIES, WHETHER EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. OTHER THAN AS STATED HEREIN, THE ENTIRE RISK AS TO SATISFACTORY QUALITY, PERFORMANCE, ACCURACY, AND EFFORT IS WITH YOU. ALSO, THERE IS NO WARRANTY AGAINST INTERFERENCE WITH YOUR ENJOYMENT OF THE SOFTWARE OR AGAINST INFRINGEMENT. IF YOU HAVE RECEIVED ANY WARRANTIES REGARDING THE DEVICE OR THE SOFTWARE, THOSE WARRANTIES DO NOT ORIGINATE FROM, AND ARE NOT BINDING ON, OPENGEAR.

Lighthouse 5.2 User Guide 93

NO LIABILITY FOR CERTAIN DAMAGES. EXCEPT AS PROHIBITED BY LAW, OPENGEAR SHALL HAVE NO LIABILITY FOR COSTS, LOSS, DAMAGES OR LOST OPPORTUNITY OF ANY TYPE WHATSOEVER, INCLUDING BUT NOT LIMITED TO, LOST OR ANTICIPATED PROFITS, LOSS OF USE, LOSS OF DATA, OR ANY INCIDENTAL, EXEMPLARY SPECIAL OR CONSEQUENTIAL DAMAGES, WHETHER UNDER CONTRACT, TORT, WARRANTY OR OTHERWISE ARISING FROM OR IN CONNECTION WITH THIS EULA OR THE USE OR PERFORMANCE OF THE SOFTWARE. IN NO EVENT SHALL OPENGEAR BE LIABLE FOR ANY AMOUNT IN EXCESS OF THE LICENSE FEE PAID TO OPENGEAR UNDER THIS EULA. SOME STATES AND COUNTRIES DO NOT ALLOW THE LIMITATION OR EXCLUSION OF LIABILITY FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THIS LIMITATION MAY NOT APPLY TO YOU.

14.2 GNU general public license (GPL), version 2 GNU GENERAL PUBLIC LICENSE Version 2, June 1991

Copyright (C) 1989, 1991 Free Software Foundation, Inc. 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA

Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.

GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION

0. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you".

Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does.

1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program.

You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee.

2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions:

a) You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change.

b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License.

Lighthouse 5.2 User Guide 94

c) If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.)

These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it.

Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program.

In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License.

3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following:

a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,

b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,

c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.)

The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable.

If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code.

4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance.

5. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do

Lighthouse 5.2 User Guide 95 not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it.

6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License.

7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program.

If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances.

It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice.

This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License.

8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License.

9. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns.

Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation.

10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally.

NO WARRANTY

11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN

Lighthouse 5.2 User Guide 96

OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.

12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

END OF TERMS AND CONDITIONS

How to Apply These Terms to Your New Programs

If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms. To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the “copyright” line and a pointer to where the full notice is found. one line to give the program’s name and a brief idea of what it does. Copyright © year name of author

This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.

Also add information on how to contact you by electronic and paper mail.

If the program is interactive, make it output a short notice like this when it starts in an interactive mode:

Gnomovision version 69, Copyright © year name of author Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type ‘show w’. This is free software, and you are welcome to redistribute it under certain conditions; type ‘show c’ for details.

Lighthouse 5.2 User Guide 97

The hypothetical commands ‘show w’ and ‘show c’ should show the appropriate parts of the General Public License. Of course, the commands you use may be called something other than ‘show w’ and ‘show c’; they could even be mouse-clicks or menu items—whatever suits your program.

You should also get your employer (if you work as a programmer) or your school, if any, to sign a “copyright disclaimer” for the program, if necessary. Here is a sample; alter the names:

Yoyodyne, Inc., hereby disclaims all copyright interest in the program ‘Gnomovision’ (which makes passes at compilers) written by James Hacker. signature of Ty Coon, 1 April 1989 Ty Coon, President of Vice

This General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Lesser General Public License instead of this License.

Lighthouse 5.2 User Guide 98

15. Standard Warranty

Opengear, Inc., its parent, affiliates and subsidiaries, (collectively, “Opengear”) warrant your Opengear product to be in good working order and to be free from defects in workmanship and material (except in those cases where the materials are supplied by the Purchaser) under normal and proper use and service for the period of four (4) years from the date of original purchase from an Authorized Opengear reseller. In the event that this product fails to meet this warranty within the applicable warranty period, and provided that Opengear confirms the specified defects, Purchaser’s sole remedy is to have Opengear, in Opengear’s sole discretion, repair or replace such product at the place of manufacture, at no additional charge other than the cost of freight of the defective product to and from the Purchaser. Repair parts and replacement products will be provided on an exchange basis and will be either new or reconditioned. Opengear will retain, as its property, all replaced parts and products. Notwithstanding the foregoing, this hardware warranty does not include service to replace or repair damage to the product resulting from accident, disaster, abuse, misuse, electrical stress, negligence, any non-Opengear modification of the product except as provided or explicitly recommended by Opengear, or other cause not arising out of defects in material or workmanship. This hardware warranty also does not include service to replace or repair damage to the product if the serial number or seal or any part thereof has been altered, defaced or removed. If Opengear does not find the product to be defective, the Purchaser will be invoiced for said inspection and testing at Opengear’s then current rates, regardless of whether the product is under warranty.